Bug 45058 - Mod_SSL does not set AUTH_TYPE with client certificate authentication
Summary: Mod_SSL does not set AUTH_TYPE with client certificate authentication
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-05-21 08:43 UTC by Emmanuel Fusté
Modified: 2019-09-11 15:09 UTC (History)
2 users (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Emmanuel Fusté 2008-05-21 08:43:31 UTC
Even when using "SSLVerifyClient require" directive,
AUTH_TYPE is not set.
As standard env variable could not be modified by SetEnv or RewriteRule directive, I could not set AUTH_TYPE to Certificate to pass it to an application using AJP.
(It is to migrate an application from Iplanet To Apache without modifications).
Comment 1 Emmanuel Fusté 2008-05-22 05:02:15 UTC
(In reply to comment #0)
> Even when using "SSLVerifyClient require" directive,
> AUTH_TYPE is not set.
> As standard env variable could not be modified by SetEnv or RewriteRule
> directive, I could not set AUTH_TYPE to Certificate to pass it to an
> application using AJP.
AUTH_TYPE is SSL with Iplanet
Comment 2 Christoph Anton Mitterer 2013-03-18 22:36:24 UTC
AFAIU it's not exactly defined at which level AUTH_TYPE specifies the type...

RFC 3875 says:
4.1.1.  AUTH_TYPE

   The AUTH_TYPE variable identifies any mechanism used by the server to
   authenticate the user.  It contains a case-insensitive value defined
   by the client protocol or server implementation.

   For HTTP, if the client request required authentication for external
   access, then the server MUST set the value of this variable from the
   'auth-scheme' token in the request Authorization header field.

      AUTH_TYPE      = "" | auth-scheme
      auth-scheme    = "Basic" | "Digest" | extension-auth
      extension-auth = token

   HTTP access authentication schemes are described in RFC 2617 [5].



One might take the HTTP literally i.e. "not HTTPS"... but again... this is just one possible interpretation.

The problem is that more than one authentication types could have taken place, e.g. first SSL client certificate login ... and afterwards HTTP Basic Auth....
and there's currently no way to specify a list of authentication types that have taken place.
Comment 3 Christoph Anton Mitterer 2013-03-18 23:07:30 UTC
I've reported an request to the editors of the CGI specification, where I present two possible solution to deal with the problem from the standard side:
http://www.rfc-editor.org/errata_search.php?eid=3556



To comment on Emmanuel's original idea of having AUTH_TYPE set to e.g. "Certificate"... IMHO that's a bad idea, especially using a non standardised type-name will sooner or later cause troubles.




Further I increased the severity to "normal". IMHO this is not only an enhancement... in the real world, many CGI programs depend on AUTH_TYPE... and it's very common to e.g. use SSL/TLS client auth + fakeBasicAuth with them... but now those programs won't realise... that BasicAuth information is present and fail.


For that reason, may I ask the mod_ssl maintainers to think about intermediate solutions (until the standard might be updated).

One possibility would be to simply set the AUTH_TYPE, as if SSL wasn't used...
This is surely not a clean solution, but will probably work in all scenarios, as noone expects AUTH_TYPE to contain SSL/TLS related info (it never did).

Another way would be adding a new directive, that allows to specify the behaviour of AUTH_TYPE when it was used with SSL.


Cheers,
Chris.
Comment 4 Michael Osipov 2019-09-11 14:51:50 UTC
This looks like a trivial fix to perform. AUTH_TYPE = Cert or similar. Tomcat sets "CLIENT-CERT"