|Summary:||Mod_SSL does not set AUTH_TYPE with client certificate authentication|
|Product:||Apache httpd-2||Reporter:||Emmanuel Fusté <emmanuel.fuste>|
|Component:||mod_ssl||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
Description Emmanuel Fusté 2008-05-21 08:43:31 UTC
Even when using "SSLVerifyClient require" directive, AUTH_TYPE is not set. As standard env variable could not be modified by SetEnv or RewriteRule directive, I could not set AUTH_TYPE to Certificate to pass it to an application using AJP. (It is to migrate an application from Iplanet To Apache without modifications).
Comment 1 Emmanuel Fusté 2008-05-22 05:02:15 UTC
(In reply to comment #0) > Even when using "SSLVerifyClient require" directive, > AUTH_TYPE is not set. > As standard env variable could not be modified by SetEnv or RewriteRule > directive, I could not set AUTH_TYPE to Certificate to pass it to an > application using AJP. AUTH_TYPE is SSL with Iplanet
Comment 2 Christoph Anton Mitterer 2013-03-18 22:36:24 UTC
AFAIU it's not exactly defined at which level AUTH_TYPE specifies the type... RFC 3875 says: 4.1.1. AUTH_TYPE The AUTH_TYPE variable identifies any mechanism used by the server to authenticate the user. It contains a case-insensitive value defined by the client protocol or server implementation. For HTTP, if the client request required authentication for external access, then the server MUST set the value of this variable from the 'auth-scheme' token in the request Authorization header field. AUTH_TYPE = "" | auth-scheme auth-scheme = "Basic" | "Digest" | extension-auth extension-auth = token HTTP access authentication schemes are described in RFC 2617 . One might take the HTTP literally i.e. "not HTTPS"... but again... this is just one possible interpretation. The problem is that more than one authentication types could have taken place, e.g. first SSL client certificate login ... and afterwards HTTP Basic Auth.... and there's currently no way to specify a list of authentication types that have taken place.
Comment 3 Christoph Anton Mitterer 2013-03-18 23:07:30 UTC
I've reported an request to the editors of the CGI specification, where I present two possible solution to deal with the problem from the standard side: http://www.rfc-editor.org/errata_search.php?eid=3556 To comment on Emmanuel's original idea of having AUTH_TYPE set to e.g. "Certificate"... IMHO that's a bad idea, especially using a non standardised type-name will sooner or later cause troubles. Further I increased the severity to "normal". IMHO this is not only an enhancement... in the real world, many CGI programs depend on AUTH_TYPE... and it's very common to e.g. use SSL/TLS client auth + fakeBasicAuth with them... but now those programs won't realise... that BasicAuth information is present and fail. For that reason, may I ask the mod_ssl maintainers to think about intermediate solutions (until the standard might be updated). One possibility would be to simply set the AUTH_TYPE, as if SSL wasn't used... This is surely not a clean solution, but will probably work in all scenarios, as noone expects AUTH_TYPE to contain SSL/TLS related info (it never did). Another way would be adding a new directive, that allows to specify the behaviour of AUTH_TYPE when it was used with SSL. Cheers, Chris.
Comment 4 Michael Osipov 2019-09-11 14:51:50 UTC
This looks like a trivial fix to perform. AUTH_TYPE = Cert or similar. Tomcat sets "CLIENT-CERT"
Comment 5 Michael Osipov 2019-09-11 15:09:31 UTC