diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number
index 51d5790fa9..ad9c931523 100644
--- a/docs/log-message-tags/next-number
+++ b/docs/log-message-tags/next-number
@@ -1 +1 @@
-2434
+2435
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index 9697b26ee8..91b8be3d41 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -1282,12 +1282,15 @@ The available options are:
be used for access control. The user name is just the Subject of the
Client's X509 Certificate (can be determined by running OpenSSL's
openssl x509 command: openssl x509 -noout -subject -in
- certificate.crt). Note that no password is
- obtained from the user. Every entry in the user file needs this password:
- ``xxj31ZMTZzkVA'', which is the DES-encrypted version of the
- word `password''. Those who live under MD5-based encryption
- (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5
- hash of the same word: ``$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/''.
+ certificate.crt). The optional SSLUserName directive can be used to
+ specify which part of the certificate Subject is embedded in the username.
+ Note that no password is obtained from the user. Every entry in the user
+ file needs this password: ``xxj31ZMTZzkVA'', which is the
+ DES-encrypted version of the word `password''. Those who
+ live under MD5-based encryption (for instance under FreeBSD or BSD/OS,
+ etc.) should use the following MD5 hash of the same word:
+ ``$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/''.
StrictRequire
@@ -2039,9 +2042,9 @@ string. In particular, this may cause the environment variable
REMOTE_USER to be set. The varname can be
any of the SSL environment variables.
-Note that this directive has no effect if the
-FakeBasicAuth option is used (see SSLOptions).
+When the FakeBasicAuth option is enabled, this directive
+instead controls the value of the username embedded within the basic
+authentication header (see SSLOptions).
Example
diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
index 1b69d4c013..7d26038bbd 100644
--- a/modules/ssl/ssl_engine_kernel.c
+++ b/modules/ssl/ssl_engine_kernel.c
@@ -957,7 +957,7 @@ int ssl_hook_UserCheck(request_rec *r)
SSLConnRec *sslconn = myConnConfig(r->connection);
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
- char *clientdn;
+ char *user;
const char *auth_line, *username, *password;
/*
@@ -1023,7 +1023,19 @@ int ssl_hook_UserCheck(request_rec *r)
OPENSSL_free(cp);
}
- clientdn = (char *)sslconn->client_dn;
+ /* use SSLUserName if defined, otherwise use the full client DN */
+ if (dc->szUserName) {
+ user = ssl_var_lookup(r->pool, r->server, r->connection,
+ r, (char *)dc->szUserName);
+ if (!user || !user[0]) {
+ ap_log_rerror(
+ APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02434) "Failed to set FakeBasicAuth username to '%s', did not exist in certificate", dc->szUserName);
+ return DECLINED;
+ }
+ }
+ else {
+ user = (char *)sslconn->client_dn;
+ }
/*
* Fake a password - which one would be immaterial, as, it seems, an empty
@@ -1038,7 +1050,7 @@ int ssl_hook_UserCheck(request_rec *r)
*/
auth_line = apr_pstrcat(r->pool, "Basic ",
ap_pbase64encode(r->pool,
- apr_pstrcat(r->pool, clientdn,
+ apr_pstrcat(r->pool, user,
":password", NULL)),
NULL);
apr_table_setn(r->headers_in, "Authorization", auth_line);