FakeBasicAuth can produce bad HTTP userid if certificate DN contains a colon

Solution In Progress - Updated -

Issue

  • FakeBasicAuth can produce bad HTTP userid if certificate DN contains a colon
  • I'm using mod_nss with NSSOptions +FakeBasicAuth. Client certificates are required in order to connect to my webserver (NSSVerifyClient require). So normally someone connects with a certificate having distinguished name CN=Joe, OU=Bla, O=Company, C=US, and the HTTP basic authorization username is "/CN=Joe,OU=Bla,O=Company,C=US". So far, so good. But now I have a user whose certificate DN is something like CN=Joe:A000123, OU=Bla, O=Company, C=US, i.e. it contains a colon. His HTTP basic authorization username, once FakeBasicAuth is done with its work, is "/CN=Joe", i.e. the username is truncated before the colon. Then he can't get in, because my database doesn't contain any users named solely "/CN=Joe".

Environment

  • Red Hat Enterprise Linux (RHEL)
    • 6.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content