php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42552 apache_getenv() doesn't return value of SSL_CLIENT_S_DN_OU_n
Submitted: 2007-09-04 21:32 UTC Modified: 2008-09-29 07:39 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: weisz at vcpc dot univie dot ac dot at Assigned:
Status: Not a bug Package: Apache2 related
PHP Version: 5.2.6 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: weisz at vcpc dot univie dot ac dot at
New email:
PHP Version: OS:

 

 [2007-09-04 21:32 UTC] weisz at vcpc dot univie dot ac dot at
Description:
------------
apache_getenv("SSL_CLIENT_S_DN_OU_n") with n=0,1,2 returns false.

Apache introduced the environment variables SSL_CLIENT_S_DN_OU_n with mod_ssl in version 2.2 (the actual version is 2.2.4). PHP didn't follow this development. Please catch up!


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2007-10-29 14:40 UTC] jani@php.net
As this function only fetches stuff from the apache environment, it's not possible to be a PHP bug if these are not set in it. Have you tried  to access those using getenv() instead?
 [2007-11-06 01:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2008-09-22 17:10 UTC] weisz at vcpc dot univie dot ac dot at
I'm sorry to have overlooked the request to test getenv(): no getenv() doesnt provide the anser either.

Now I'm at PHP version 5.2.6 and the bug is still there. phpinfo() shows clearly that only SSL_CLIENT_S_DN_OU is available to PHP, not the values for SSL_CLIENT_S_DN_OU_n (n being an integer value).

PHP doesn't transmit transparently the value of the string parameter to Apache, but seems to "censor" any Apache variable name it seems not to know.

Please reopen this bug report, change this behavior to enable the use of important and very helpful developments in Apache.
 [2008-09-22 17:13 UTC] weisz at vcpc dot univie dot ac dot at
Please reopen this bug report that is still present in PHP 5.2.6
 [2008-09-23 00:13 UTC] pajoye@php.net
I do not see why PHP would not fetch these vars if apache made them available.

Have you tried:

http://www.mail-archive.com/modssl-users@modssl.org/msg17637.html
 [2008-09-23 18:23 UTC] weisz at vcpc dot univie dot ac dot at
The proposed patch is only a dirty one (it restricts the number of OUs to 2 and the DN members with multiplicity to OU), and it unnecessarily puts the check in the wrong place. I checked the relevant code in ssl_engine_kernel.c and especially ssl_engine_vars.c.

The function ssl_var_lookup_ssl_cert_dn() in ssl_engine_vars.c takes care of the retrieving of the DN subentries and I couldn't find a flaw when analysing its code (Apache 2.2.8 and 2.2.9 which I've tried both and got the same result). Where in the PHP code is the connection to the top level function ssl_var_lookup() that descends in multiple steps to ssl_var_lookup_ssl_cert_dn()?
 [2008-09-24 14:06 UTC] weisz at vcpc dot univie dot ac dot at
After a digging through the sources pertinent to the functions apache_getenv() and the related Apache sources the problem picture Bug 45875 appears as follows:
apache_getenv relies on the function apr_table_get() which retrieves the values of entries into a table generated by the Apache function ssl_hook_Fixeup(). The latter doesn't take care of DN component entries that may occur multiple times.

I've thus submitted bug report #45875 to Apache. But please don't yet close this present bug since an outcome could be a reply from Apache indicating a different way to access the certificate components made accessible since Apache HTTP 2.1 that could provide a solution on the PHP side. I'll turn back to PHP after getting a reply from Apache.
 [2008-09-28 19:46 UTC] weisz at vcpc dot univie dot ac dot at
The problem is solved by a patch I submitted for Apache bug #45875 (see <https://issues.apache.org/bugzilla/show_bug.cgi?id=45875>).
 [2008-09-28 22:59 UTC] pajoye@php.net
So it is actually not a php bug?
 [2008-09-29 07:25 UTC] weisz at vcpc dot univie dot ac dot at
No it's definitley not a PHP bug. It just popped up with the PHP function apache_getenv().

Your answer citing the discussion entry lead me to the right culprit, even so the patch proposed there is too short sighted for a real solution. My patch submitted to Apache takes care of all single DN components with potentially multiple entries (_DN_x_n, x any DN component, n integer).
 [2008-09-29 07:39 UTC] pajoye@php.net
Thanks for having kept us informed :)

Not a PHP bug > closed (Bogus).
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 22:01:27 2024 UTC