New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
response.c: set SSL_CLIENT_VERIFY & SSL_CLIENT_S_DN #63
Conversation
7027605
to
48a9262
Compare
} | ||
buffer_copy_buffer(ds->value, envds->value); | ||
} | ||
array_insert_unique(con->environment, (data_unset *)envds); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any reason why this is not further up with the code which fills in envds?
I added a couple comments inline to the diff. Please review. I presume that you are using Apache names of SSL_* vars as the convention to follow. While on the subject, of variables, how do you think the values should be encoded? Please see the paragraphs below the env var table in the Environment Variables section, as well as the SSLOptions LegacyDNSStringFormat. What do you think? https://httpd.apache.org/docs/2.4/mod/mod_ssl.html |
19b1832
to
7294e5a
Compare
SSL_CLIENT_VERIFY is set to "NONE", "SUCCESS" or "FAILED:reason". This is compatible with Apache's mod_ssl variable of the same name. SSL_CLIENT_S_DN is set to the oneline version of the client certificate subject's distinguished name and may be used as a setting for the ssl.verifyclient.username config option. When Apache's mod_ssl is configured to use 'FakeBasicAuth' it uses the SSL_CLIENT_S_DN value for the username (that ultimately may end up in REMOTE_USER). The value that will be set for SSL_CLIENT_S_DN may be determined using the `openssl x509 -noout -subject -in <cert.pem>` command. Signed-off-by: Kyle J. McKay
1 similar comment
return; | ||
} | ||
|
||
buffer_copy_string(ds_cv->value, "SUCCESS"); | ||
array_insert_unique(con->environment, (data_unset *)ds_cv); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
above two lines should be part of the SSL_get_verify_result() condition block above to show that the outcome of the test sets SSL_CLIENT_VERIFY depending on the outcome of the condition test.
array_set_key_value() should be preferred over array_insert_unique() when it is desirable to replace an existing entry, if it exists, rather than having it handled by data_string insert_dup(), and perform a list append (combining the values with ", ") (And yes, other code should be modified, too, but that should be handled in a separate pull request)
The manpage for X509_NAME_oneline() says: Please consider using X509_NAME_print_ex() and propose a reasonable set of flags for a consistent and still-useful result. |
SSL_CLIENT_VERIFY is set to "NONE", "SUCCESS" or "FAILED:reason".
This is compatible with Apache's mod_ssl variable of the same name.
SSL_CLIENT_S_DN is set to the oneline version of the client certificate
subject's distinguished name and may be used as a setting for the
ssl.verifyclient.username config option. When Apache's mod_ssl is
configured to use 'FakeBasicAuth' it uses the SSL_CLIENT_S_DN value for
the username (that ultimately may end up in REMOTE_USER). The value
that will be set for SSL_CLIENT_S_DN may be determined using the
openssl x509 -noout -subject -in <cert.pem>
command.Signed-off-by: Kyle J. McKay