Bug#310650: apache2-mpm-prefork: SSLUserName directive does not change REMOTE_USER

[Eric Jonas <jonas@MIT.EDU>]

Package: apache2-mpm-prefork
Version: 2.0.54-4
Severity: important


Up until yesterday I was using the configuration setting:

        <Directory /soma/www/cgi-bin>

          SSLRequireSSL
          SSLVerifyClient require
          SSLVerifyDepth       5
          SSLOptions           +FakeBasicAuth
          SSLUserName   SSL_CLIENT_S_DN_Email
          AuthName             "Soma Authentication"
          AuthType             Basic
          AuthUserFile         /soma/projects/soma/httpd.password
          require              valid-user

        </Directory>

and Apache would rewrite the REMOTE_USER environment variable to be the e-mail address included in the client cert. According to the apache docs, this is the expected behavior. 

However, after an apt-get upgrade, this behavior no longer works, and instead REMOTE_USER is always the full DN of the cert. 

I have tested this with both a cgi perl script and two different test scripts under mod_python, so it appears to not be confined to either of those. Our entire authentication system was based on first validating certs against the httpd.password file using fakebasic auth and then passing on the E-mail address to our code as a unique ID for the user.

Has anyone else had this problem? I've also tried with other cert fields (such as CN) to no avail. 
Thanks!
		...Eric

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11.3-modulation-acpi
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)