Edgewall Software

Opened 8 years ago

Last modified 15 months ago

#6982 new enhancement

x509 with friendly name support

Reported by: dirkx@… Owned by:
Priority: normal Milestone: unscheduled
Component: web frontend Version:
Severity: normal Keywords: x509 httpd.conf pki
Cc: dirkx@…, Ryan J Ollos
Release Notes:
API Changes:


Below is a small patch for those using x509 support - e.g. an apache config as below to allow access based on x509 certs. The reason for doing this is that otherwise the strings shown become very long and wieldy.

One item of note - in a lot of sites the x509 contains the email address; in a lot of other non x509 (e.g. htpasswd sites) the userid can be combined ith some FQDN to become the user their valid email address. Hence it may be useful to at some point add an extra field, email to the current interface.

Note that this is NOT the same as using


(See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername) in your httpd.conf - as with this feature we try to preserve all captured information (i.e. full DN in svn, so we can do XS controls and do this over many years - where the CN may well be not unique).

See test/example config below.


Attachments (3)

setup-ca.sh (1.4 KB) - added by dirkx@… 8 years ago.
Script to setup a root ca, server certificate and client test certificate
x509-strip-patch.txt (1.6 KB) - added by dirkx@… 8 years ago.
x509 patch against trunk (r6673)
httpd-snippet.txt (1.8 KB) - added by dirkx@… 8 years ago.
httpd.conf snipped to test the patch

Download all attachments as: .zip

Change History (10)

Changed 8 years ago by dirkx@…

Script to setup a root ca, server certificate and client test certificate

Changed 8 years ago by dirkx@…

x509 patch against trunk (r6673)

Changed 8 years ago by dirkx@…

httpd.conf snipped to test the patch

comment:1 Changed 7 years ago by lippold@…


I was just wondering if this patch was applied to the 0.11 codebase?



comment:2 Changed 7 years ago by Noah Kantrowitz

No, nor would I think it will be. This is a pretty rare use case, and probably should be a plugin. Just subclass LoginModule.

comment:3 Changed 7 years ago by aaronlippold


Ok. How about things like the user/group database and or roles db?

I assume that the userid is an independent primary key that maps to the "pretty user name" so no changes would need to be made or am I incorrect? Thus, groups, roles, etc could remain oblivious to the fact that a SC CN was used to identify and validate the user and populate the user session object, etc etc.

If this isn't the case, I assume some more subclassing could fix it up?

Also, given that SVN can now grok x509 data, what module would need to be subclassed to pass the known user smart card CN to the login data for the SVN server?



comment:4 Changed 7 years ago by Remy Blank

  • Milestone set to 2.0

comment:5 Changed 6 years ago by Ryan Ollos <ryano@…>

  • Cc ryano@… added

comment:6 Changed 5 years ago by Christian Boos

  • Milestone changed from 2.0 to unscheduled

Milestone 2.0 deleted

comment:8 Changed 15 months ago by Ryan J Ollos

  • Cc Ryan J Ollos added; ryano@… removed

Modify Ticket

Change Properties
Set your email in Preferences
as new The ticket will remain with no owner.
The ticket will be disowned. Next status will be 'new'.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.

Add Comment

E-mail address and name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.