The SSUserName directive does not support the field 'NID_serialNumber'. This field is commonly used for the official unique id in national identity certificates; it would really help to add it. I tried to add the line { LN_serialNumber, NID_serialNumber }, in ssl_var_lookup_ssl_cert_dn_rec[] (ssl_engine_var.c), but it doesn't work. I also added "SSL_CLIENT_S_DN_serialNumber", in ssl_hook_Fixup_vars[] (ssl_engine_kernel.c), but it doesn't help either.
Sorry, by adding both entries it works. Btw, several European countries use this field to store the national identity number: Belgium, Estonia, Finland, etc.
The name should be using the short (SN_) not the long variant and I'd rather not rely on OpenSSL's SN_ definition since if that changes mod_ssl would break compatibility. So a patch to add { "SN", ... } and the CLIENT_S_DN_SN would be OK. Please attach diff -u format patches, not code which has to be cut'n'pasted!
"SN" is "surname". No short name for "serialNumber" is defined in OpenSSL, is that a real problem ?
Created attachment 15246 [details] Support for NID_serialNumber in SSLUserName
Solved in 2.2
Sorry, a mistake. It's not fixed.
Created attachment 19458 [details] Port to 2.2.4
Please don't change the assignee filed, this breaks changes to be send to the bugs@ mailing list.
rfc 5280 says Standard sets of attributes have been defined in the X.500 series of specifications [X.520]. Implementations of this specification MUST be prepared to receive the following standard attribute types in issuer and subject (Section 4.1.2.6) names: * country, * organization, * organizational unit, * distinguished name qualifier, * state or province name, * common name (e.g., "Susan Housley"), and * serial number. In addition, implementations of this specification SHOULD be prepared to receive the following standard attribute types in issuer and subject names: * locality, * title, * surname, * given name, * initials, * pseudonym, and * generation qualifier (e.g., "Jr.", "3rd", or "IV"). "Being prepared" IMO opinion means for a replying party like mod_ssl and its users to facilitate the usage.
Please help us to refine our list of open and current defects; this is a mass update of old and inactive Bugzilla reports which reflect user error, already resolved defects, and still-existing defects in httpd. As repeatedly announced, the Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release 2.2.34 was published in July 2017, and no further evaluation of bug reports or security risks will be considered or published for 2.2.x releases. All reports older than 2.4.x have been updated to status RESOLVED/LATER; no further action is expected unless the report still applies to a current version of httpd. If your report represented a question or confusion about how to use an httpd feature, an unexpected server behavior, problems building or installing httpd, or working with an external component (a third party module, browser etc.) we ask you to start by bringing your question to the User Support and Discussion mailing list, see [https://httpd.apache.org/lists.html#http-users] for details. Include a link to this Bugzilla report for completeness with your question. If your report was clearly a defect in httpd or a feature request, we ask that you retest using a modern httpd release (2.4.33 or later) released in the past year. If it can be reproduced, please reopen this bug and change the Version field above to the httpd version you have reconfirmed with. Your help in identifying defects or enhancements still applicable to the current httpd server software release is greatly appreciated.
Created attachment 37952 [details] Add support for serialNumber to SSL_CLIENT_S_DN_serialNumber Updated the patch to apply on 2.4.x
We are still interested in this to allow our users to identify using their eID. I tested the proposed patch, not sure if there is anything I can do to merge it upstream.