Mailing List Archive

DO NOT REPLY [Bug 52644] New: document how SSL FakeBasicAuth works with strange characters in DNs and with groupfiles

Bug #: 52644
Summary: document how SSL FakeBasicAuth works with strange
characters in DNs and with groupfiles
Product: Apache httpd-2
Version: 2.2.20
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Documentation
Classification: Unclassified


Could you please share some light (and add to the documentation at if and how
mod_ssl's FakeBasicAuth feature works with the following:

a) Special characters
A certificates DN can contain basically _ANY_ character, including “:”, “/”, “
”, “"” or any weird Unicode character from any script.
As far as I can see this could affect us at least in the following places:
- user file
There at least the colon seems to have the special meaning of separating the
username from the password, e.g.:
/C=DE/O=GermanGrid/OU=LMU/CN=Christoph Anton
Maybe “$”, “.” or the other characters mentioned above have also special

Given that this is really security relevant, could you please document whether
all this is _always_ safe for any characters in the DN or not?!

Guess this would mean that the parsing has to work like this regexp ^(.*):(.*)$
and the matching must be "greedy" (i.e. the _last_ “:”) must be matched.

b) DNs in group files
Here things seem to be even more weird.
DNs typically contain “ ” characters (spaces).
The space however is the separation characters in the group files.

I found out that quoting the DN with “"” seems to work.
This is however not (yet) documented.
Further,.. is this safe? I mean, DNs could be made up tricky, containing “"” or
“:” to confuse the parsing of the group files.
This could even be a security problem.


Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail: