|
 |
90ca4f |
The first fix is to retrieve the full certificate subject instead of just the
|
|
|
90ca4f |
CN for FakeBasicAuth and prefix it with / to be compatible with OpenSSL.
|
|
|
90ca4f |
|
|
|
90ca4f |
The second always attempts to retrieve the client certificate in
|
|
|
90ca4f |
nss_hook_ReadReq().
|
|
|
90ca4f |
|
|
|
90ca4f |
https://bugzilla.redhat.com/show_bug.cgi?id=702437
|
|
|
90ca4f |
--- mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-10 15:45:49.000000000 -0400
|
|
|
90ca4f |
+++ mod_nss-1.0.8.orig/nss_engine_io.c 2011-05-11 15:21:30.000000000 -0400
|
|
|
90ca4f |
@@ -1364,13 +1364,9 @@ nss_AuthCertificate(void *arg, PRFileDes
|
|
|
90ca4f |
|
|
|
90ca4f |
status = SSL_AuthCertificate(arg, socket, checksig, isServer);
|
|
|
90ca4f |
|
|
|
90ca4f |
- if (status == SECSuccess) {
|
|
|
90ca4f |
- conn_rec *c = filter_ctx->c;
|
|
|
90ca4f |
- SSLConnRec *sslconn = myConnConfig(c);
|
|
|
90ca4f |
-
|
|
|
90ca4f |
- sslconn->client_cert = SSL_PeerCertificate(socket);
|
|
|
90ca4f |
- sslconn->client_dn = NULL;
|
|
|
90ca4f |
- }
|
|
|
90ca4f |
+ /* The certificate is copied to sslconn->client_cert in
|
|
|
90ca4f |
+ * nss_hook_ReadReq()
|
|
|
90ca4f |
+ */
|
|
|
90ca4f |
|
|
|
90ca4f |
return status;
|
|
|
90ca4f |
}
|
|
|
90ca4f |
--- mod_nss-1.0.8.orig/nss_engine_kernel.c 2007-05-31 17:36:03.000000000 -0400
|
|
|
90ca4f |
+++ mod_nss-1.0.8.orig/nss_engine_kernel.c 2011-05-11 15:30:38.000000000 -0400
|
|
|
90ca4f |
@@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r)
|
|
|
90ca4f |
nss_util_vhostid(r->pool, r->server));
|
|
|
90ca4f |
}
|
|
|
90ca4f |
|
|
|
90ca4f |
+ if (sslconn->client_cert != NULL)
|
|
|
90ca4f |
+ CERT_DestroyCertificate(sslconn->client_cert);
|
|
|
90ca4f |
+ sslconn->client_cert = SSL_PeerCertificate(ssl);
|
|
|
90ca4f |
+ sslconn->client_dn = NULL;
|
|
|
90ca4f |
+
|
|
|
90ca4f |
return DECLINED;
|
|
|
90ca4f |
}
|
|
|
90ca4f |
|
|
|
90ca4f |
@@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r)
|
|
|
90ca4f |
}
|
|
|
90ca4f |
|
|
|
90ca4f |
if (!sslconn->client_dn) {
|
|
|
90ca4f |
- char * cp = CERT_GetCommonName(&sslconn->client_cert->subject);
|
|
|
90ca4f |
- sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
|
|
|
90ca4f |
+ char * cp = CERT_NameToAscii(&sslconn->client_cert->subject);
|
|
|
90ca4f |
+ sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL);
|
|
|
90ca4f |
PORT_Free(cp);
|
|
|
90ca4f |
}
|