FakeBasicAuth can produce bad HTTP userid if certificate DN contains a colon

Solution In Progress - Updated -

Issue

  • FakeBasicAuth can produce bad HTTP userid if certificate DN contains a colon
  • I'm using mod_nss with NSSOptions +FakeBasicAuth. Client certificates are required in order to connect to my webserver (NSSVerifyClient require). So normally someone connects with a certificate having distinguished name CN=Joe, OU=Bla, O=Company, C=US, and the HTTP basic authorization username is "/CN=Joe,OU=Bla,O=Company,C=US". So far, so good. But now I have a user whose certificate DN is something like CN=Joe:A000123, OU=Bla, O=Company, C=US, i.e. it contains a colon. His HTTP basic authorization username, once FakeBasicAuth is done with its work, is "/CN=Joe", i.e. the username is truncated before the colon. Then he can't get in, because my database doesn't contain any users named solely "/CN=Joe".

Environment

  • Red Hat Enterprise Linux (RHEL)
    • 6.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.