en - Re: [sympa-users] how to export SSL_CLIENT_S_EMAIL

Subject: The mailing list for listmasters using Sympa

List archive

Re: [sympa-users] how to export SSL_CLIENT_S_EMAIL

From: Riccardo Veraldi <address@concealed>
To: Dominique Launay <address@concealed>
Cc: address@concealed
Subject: Re: [sympa-users] how to export SSL_CLIENT_S_EMAIL
Date: Wed, 25 Oct 2006 15:57:01 +0200

not really. in Sympa 5.2.2 this was fixed with a perl patch but the problem is that
mod_ssl does not export anymore that variable.
you can otherwise patch mod_ssl and this patch is provided by Christian Mock

diff -ru libapache-mod-ssl-2.8.9-coretec1/pkg.ssldoc/ssl_reference.wml libapache-mod-ssl-2.8.9/pkg.ssldoc/ssl_reference.wml
--- libapache-mod-ssl-2.8.9-coretec1/pkg.ssldoc/ssl_reference.wml 2003-01-27 18:54:21.000000000 +0100
+++ libapache-mod-ssl-2.8.9/pkg.ssldoc/ssl_reference.wml 2000-10-16 17:53:47.000000000 +0200
@@ -1485,7 +1485,7 @@
SSL_CLIENT_A_KEY SSL_SERVER_A_KEY SSL_CLIENT_CERT SSL_SERVER_CERT SSL_CLIENT_CERT_CHAIN<b>n</b>
- SSL_CLIENT_VERIFY SSL_CLIENT_S_EMAIL
+ SSL_CLIENT_VERIFY
</pre>
</td></tr></table>
</float>
@@ -1545,7 +1545,6 @@
<tr id=D><td><code>SSL_SERVER_A_SIG</code></td> <td>string</td> <td>Algorithm used for the signature of server's certificate</td></tr>
<tr id=H><td><code>SSL_SERVER_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of server's certificate</td></tr>
<tr id=D><td><code>SSL_SERVER_CERT</code></td> <td>string</td> <td>PEM-encoded server certificate</td></tr>
-<tr id=H><td><code>SSL_CLIENT_S_EMAIL</code></td> <td>string</td> <td>Email addresses from the X509v3 SubjectAlternativeName (separated with ",")</td></tr>
</table>
[ where <em>x509</em> is a component of a X.509 DN:
<code>C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email</code> ]
diff -ru libapache-mod-ssl-2.8.9-coretec1/pkg.sslmod/ssl_engine_kernel.c libapache-mod-ssl-2.8.9/pkg.sslmod/ssl_engine_kernel.c
--- libapache-mod-ssl-2.8.9-coretec1/pkg.sslmod/ssl_engine_kernel.c 2003-01-27 18:54:21.000000000 +0100
+++ libapache-mod-ssl-2.8.9/pkg.sslmod/ssl_engine_kernel.c 2004-08-26 14:56:55.000000000 +0200
@@ -1229,7 +1227,6 @@
"SSL_CLIENT_S_DN_D",
"SSL_CLIENT_S_DN_UID",
"SSL_CLIENT_S_DN_Email",
- "SSL_CLIENT_S_EMAIL",
"SSL_CLIENT_I_DN",
"SSL_CLIENT_I_DN_C",
"SSL_CLIENT_I_DN_ST",
diff -ru libapache-mod-ssl-2.8.9-coretec1/pkg.sslmod/ssl_engine_vars.c libapache-mod-ssl-2.8.9/pkg.sslmod/ssl_engine_vars.c
--- libapache-mod-ssl-2.8.9-coretec1/pkg.sslmod/ssl_engine_vars.c 2003-01-27 18:54:21.000000000 +0100
+++ libapache-mod-ssl-2.8.9/pkg.sslmod/ssl_engine_vars.c 2002-06-19 11:11:58.000000000 +0200
@@ -329,9 +329,8 @@
char *result;
BOOL resdup;
X509_NAME *xsname;
- int nid, i;
+ int nid;
char *cp;
- STACK *emlst;

result = NULL;
resdup = TRUE;
@@ -356,16 +355,6 @@
free(cp);
resdup = FALSE;
}
- else if (strcEQ(var, "S_EMAIL")) {
- emlst = X509_get1_email(xs);
- if(sk_num(emlst) >= 1) {
- result = ap_pstrdup(p, sk_value(emlst, 0));
- resdup = FALSE;
- for (i = 1; i < sk_num(emlst); i++)
- result = ap_pstrcat(p, result, ",", sk_value(emlst, i), NULL);
- }
- X509_email_free(emlst);
- }
else if (strlen(var) > 5 && strcEQn(var, "S_DN_", 5)) {
xsname = X509_get_subject_name(xs);
result = ssl_var_lookup_ssl_cert_dn(p, xsname, var+5);

Rick

Dominique Launay wrote:

Le 09/29/2006 09:03 PM, Riccardo Veraldi a écrit :

Hello,
anyone knows how can I export SSL_CLIENT_S_EMAIL variable in apache
using mod_ssl ?
this variable i needed by sympa so that X509 authentication can happen...
This variable is not exported by mod_ssl. I am using apache-2.2.3,
sympa 5.2.2 on FreeBSD.

thanks a lot

Rick

Isn't it SSL_CLIENT_S_DN_Email ?
Using this variable $ENV{SSL_CLIENT_S_DN_Email} everything should be OK

Re: [sympa-users] how to export SSL_CLIENT_S_EMAIL, Dominique Launay, 10/25/2006
- Re: [sympa-users] how to export SSL_CLIENT_S_EMAIL, Riccardo Veraldi, 10/25/2006

List archive

Re: [sympa-users] how to export SSL_CLIENT_S_EMAIL