[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#310650: apache2-mpm-prefork: SSLUserName directive does not change REMOTE_USER

Package: apache2-mpm-prefork
Version: 2.0.54-4
Severity: important

Up until yesterday I was using the configuration setting:

        <Directory /soma/www/cgi-bin>

          SSLVerifyClient require
          SSLVerifyDepth       5
          SSLOptions           +FakeBasicAuth
          SSLUserName   SSL_CLIENT_S_DN_Email
          AuthName             "Soma Authentication"
          AuthType             Basic
          AuthUserFile         /soma/projects/soma/httpd.password
          require              valid-user


and Apache would rewrite the REMOTE_USER environment variable to be the e-mail address included in the client cert. According to the apache docs, this is the expected behavior. 

However, after an apt-get upgrade, this behavior no longer works, and instead REMOTE_USER is always the full DN of the cert. 

I have tested this with both a cgi perl script and two different test scripts under mod_python, so it appears to not be confined to either of those. Our entire authentication system was based on first validating certs against the httpd.password file using fakebasic auth and then passing on the E-mail address to our code as a unique ID for the user.

Has anyone else had this problem? I've also tried with other cert fields (such as CN) to no avail. 

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Reply to: