According to RFC 5280, email address in the subject in certificates is deprecated in favor of alternative name in the certificate extension. http://tools.ietf.org/html/rfc5280#section-4.1.2.6 However, there is no way to get the mail address of the certificate in that way. Also, OpenSSL has change its default configuration to not put the mail adress into the subject. Can you add a way to retrieve that information in mod_ssl ? Many thanks
The deprecation of the PKCS#9 emailAddress attribute in the subject DN is actually due to RFCs 2632/3850/5750 (not 5280), but anyway, in r1650047, I have now implemented what I proposed in this thread on httpd-dev in May last year: https://mail-archives.apache.org/mod_mbox/httpd-dev/201405.mbox/%3C6F7A525D-9B6B-479D-B1B3-5AC3FFF48AD9%40sharp.fm%3E Specifically, you can get at the e-mail address(es) in the client certificate via SSL_CLIENT_SAN_Email_0 etc. The patch from r1650047 also applies to 2.4.x, so feel free to give it a try with 2.4.10. I'll wait a few days for review feedback and will then propose for backport to 2.4.x.
Thank you ! I will make some usability tests to check if this solution works for us.
Proposed for backport to 2.4.x with r1656268.
Backported to 2.4.x in r1676087. To appear in 2.4.13.