Edgewall Software
Modify

Opened 7 years ago

Last modified 3 months ago

#6982 new enhancement

x509 with friendly name support

Reported by: dirkx@… Owned by:
Priority: normal Milestone: unscheduled
Component: web frontend Version:
Severity: normal Keywords: x509 httpd.conf pki
Cc: dirkx@…, rjollos
Release Notes:
API Changes:

Description

Below is a small patch for those using x509 support - e.g. an apache config as below to allow access based on x509 certs. The reason for doing this is that otherwise the strings shown become very long and wieldy.

One item of note - in a lot of sites the x509 contains the email address; in a lot of other non x509 (e.g. htpasswd sites) the userid can be combined ith some FQDN to become the user their valid email address. Hence it may be useful to at some point add an extra field, email to the current interface.

Note that this is NOT the same as using

SSLUserName SSL_CLIENT_S_DN_CN

(See http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername) in your httpd.conf - as with this feature we try to preserve all captured information (i.e. full DN in svn, so we can do XS controls and do this over many years - where the CN may well be not unique).

See test/example config below.

Dw.

Attachments (3)

setup-ca.sh (1.4 KB) - added by dirkx@… 7 years ago.
Script to setup a root ca, server certificate and client test certificate
x509-strip-patch.txt (1.6 KB) - added by dirkx@… 7 years ago.
x509 patch against trunk (r6673)
httpd-snippet.txt (1.8 KB) - added by dirkx@… 7 years ago.
httpd.conf snipped to test the patch

Download all attachments as: .zip

Change History (10)

Changed 7 years ago by dirkx@…

Script to setup a root ca, server certificate and client test certificate

Changed 7 years ago by dirkx@…

x509 patch against trunk (r6673)

Changed 7 years ago by dirkx@…

httpd.conf snipped to test the patch

comment:1 Changed 6 years ago by lippold@…

Hi,

I was just wondering if this patch was applied to the 0.11 codebase?

Thanks,

Aaron

comment:2 Changed 6 years ago by nkantrowitz

No, nor would I think it will be. This is a pretty rare use case, and probably should be a plugin. Just subclass LoginModule.

comment:3 Changed 6 years ago by aaronlippold

Hi,

Ok. How about things like the user/group database and or roles db?

I assume that the userid is an independent primary key that maps to the "pretty user name" so no changes would need to be made or am I incorrect? Thus, groups, roles, etc could remain oblivious to the fact that a SC CN was used to identify and validate the user and populate the user session object, etc etc.

If this isn't the case, I assume some more subclassing could fix it up?

Also, given that SVN can now grok x509 data, what module would need to be subclassed to pass the known user smart card CN to the login data for the SVN server?

Thanks,

Aaron

comment:4 Changed 6 years ago by rblank

  • Milestone set to 2.0

comment:5 Changed 5 years ago by Ryan Ollos <ryano@…>

  • Cc ryano@… added

comment:6 Changed 5 years ago by cboos

  • Milestone changed from 2.0 to unscheduled

Milestone 2.0 deleted

comment:8 Changed 3 months ago by rjollos

  • Cc rjollos added; ryano@… removed

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as new The ticket will remain with no owner.
as The resolution will be set. Next status will be 'closed'.
The owner will be changed from (none) to anonymous. Next status will be 'assigned'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.