<html dir="ltr">
<head>
<!-- Template generated by Exclaimer Mail Disclaimers on 11:35:49 Wednesday, 22 February 2017 -->
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<style type="text/css">P.03f74a2a-0efc-4208-a99d-cf868a1f9baa {
MARGIN: 0cm 0cm 0pt
}
LI.03f74a2a-0efc-4208-a99d-cf868a1f9baa {
MARGIN: 0cm 0cm 0pt
}
DIV.03f74a2a-0efc-4208-a99d-cf868a1f9baa {
MARGIN: 0cm 0cm 0pt
}
TABLE.03f74a2a-0efc-4208-a99d-cf868a1f9baaTable {
MARGIN: 0cm 0cm 0pt
}
DIV.Section1 {
page: Section1
}
</style><style type="text/css" id="owaParaStyle">P {margin-top:0;margin-bottom:0;}</style>
</head>
<body fpstyle="1" ocsi="0">
<p class="03f74a2a-0efc-4208-a99d-cf868a1f9baa"></p>
<div style="direction: ltr;font-family: Helvetica;color: #000000;font-size: 10pt;">
Attempt #2 - have removed previously-proposed ssl_client_s_cn and ssl_client_email vars as these are now satisfied, as advised, by map constructs.<br>
<br>
# HG changeset patch<br>
# User Dave Bevan <dave.bevan@bbc.co.uk><br>
# Date 1487806316 0<br>
# Wed Feb 22 23:31:56 2017 +0000<br>
# Node ID e0a82e49175e9092b63fb7d86054a698d8fc3085<br>
# Parent 00903b2132edb863e8aed2e84e216817fcc07c90<br>
Add new ssl variable: $ssl_client_ms_upn (Microsoft UserPrincipalName).<br>
<br>
Retrieved from a client cert, this identity string is used in corporate<br>
environments as a primary key when interacting with Active Directory.<br>
<br>
Commonly used to set REMOTE_USER param. Brings equivalence with<br>
Apache 2.4.17 which introduced access to the same data:<br>
<br>
https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x/CHANGES<br>
<br>
Changes with Apache 2.4.17<br>
<br>
*) mod_ssl: Add support for extracting the msUPN and dnsSRV forms<br>
of subjectAltName entries of type "otherName" into<br>
SSL_{CLIENT,SERVER}_SAN_OTHER_{msUPN,dnsSRV}_n environment<br>
variables. Addresses PR 58020. [Jan Pazdziora <jpazdziora redhat.com>,<br>
Kaspar Brand]<br>
<br>
diff -r 00903b2132ed -r e0a82e49175e src/event/ngx_event_openssl.c<br>
--- a/src/event/ngx_event_openssl.c Wed Feb 22 12:26:41 2017 +0800<br>
+++ b/src/event/ngx_event_openssl.c Wed Feb 22 23:31:56 2017 +0000<br>
@@ -4081,6 +4081,60 @@<br>
}<br>
<br>
<br>
+ngx_int_t<br>
+ngx_ssl_get_client_ms_upn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)<br>
+{<br>
+ int i;<br>
+ BIO *bio;<br>
+ X509 *cert;<br>
+ GENERAL_NAME *altname;<br>
+ STACK_OF(GENERAL_NAME) *altnames;<br>
+<br>
+ s->len = 0;<br>
+<br>
+ cert = SSL_get_peer_certificate(c->ssl->connection);<br>
+ if (cert == NULL) {<br>
+ return NGX_OK;<br>
+ }<br>
+<br>
+ bio = BIO_new(BIO_s_mem());<br>
+ if (bio == NULL) {<br>
+ X509_free(cert);<br>
+ return NGX_ERROR;<br>
+ }<br>
+<br>
+ altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);<br>
+<br>
+ if (altnames) {<br>
+ for (i = 0; i < sk_GENERAL_NAME_num(altnames); i++) {<br>
+ altname = sk_GENERAL_NAME_value(altnames, i);<br>
+<br>
+ if (altname->type != GEN_OTHERNAME) {<br>
+ continue;<br>
+ }<br>
+<br>
+ if (NID_ms_upn != OBJ_obj2nid(altname->d.otherName->type_id)) {<br>
+ continue;<br>
+ }<br>
+<br>
+ BIO_printf(bio, "%s",<br>
+ (char*)ASN1_STRING_data(altname->d.otherName->value->value.asn1_string));<br>
+ break;<br>
+ }<br>
+ }<br>
+<br>
+ s->len = BIO_pending(bio);<br>
+ s->data = ngx_pnalloc(pool, s->len);<br>
+<br>
+ BIO_read(bio, s->data, s->len);<br>
+ BIO_free(bio);<br>
+ X509_free(cert);<br>
+ GENERAL_NAMES_free(altnames);<br>
+<br>
+ return NGX_OK;<br>
+}<br>
+<br>
+<br>
static time_t<br>
ngx_ssl_parse_time(<br>
#if OPENSSL_VERSION_NUMBER > 0x10100000L<br>
diff -r 00903b2132ed -r e0a82e49175e src/event/ngx_event_openssl.h<br>
--- a/src/event/ngx_event_openssl.h Wed Feb 22 12:26:41 2017 +0800<br>
+++ b/src/event/ngx_event_openssl.h Wed Feb 22 23:31:56 2017 +0000<br>
@@ -226,6 +226,8 @@<br>
ngx_str_t *s);<br>
ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,<br>
ngx_str_t *s);<br>
+ngx_int_t ngx_ssl_get_client_ms_upn(ngx_connection_t *c, ngx_pool_t *pool,<br>
+ ngx_str_t *s);<br>
<br>
<br>
ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);<br>
diff -r 00903b2132ed -r e0a82e49175e src/http/modules/ngx_http_ssl_module.c<br>
--- a/src/http/modules/ngx_http_ssl_module.c Wed Feb 22 12:26:41 2017 +0800<br>
+++ b/src/http/modules/ngx_http_ssl_module.c Wed Feb 22 23:31:56 2017 +0000<br>
@@ -328,6 +328,9 @@<br>
{ ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,<br>
(uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },<br>
<br>
+ { ngx_string("ssl_client_ms_upn"), NULL, ngx_http_ssl_variable,<br>
+ (uintptr_t) ngx_ssl_get_client_ms_upn, NGX_HTTP_VAR_CHANGEABLE, 0 },<br>
+<br>
{ ngx_null_string, NULL, NULL, 0, 0, 0 }<br>
};<br>
<br>
diff -r 00903b2132ed -r e0a82e49175e src/stream/ngx_stream_ssl_module.c<br>
--- a/src/stream/ngx_stream_ssl_module.c Wed Feb 22 12:26:41 2017 +0800<br>
+++ b/src/stream/ngx_stream_ssl_module.c Wed Feb 22 23:31:56 2017 +0000<br>
@@ -272,6 +272,9 @@<br>
{ ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable,<br>
(uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 },<br>
<br>
+ { ngx_string("ssl_client_ms_upn"), NULL, ngx_stream_ssl_variable,<br>
+ (uintptr_t) ngx_ssl_get_client_ms_upn, NGX_STREAM_VAR_CHANGEABLE, 0 },<br>
+<br>
{ ngx_null_string, NULL, NULL, 0, 0, 0 }<br>
};<br>
<br>
<div><br>
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<div style="font-family:Tahoma; font-size:13px">
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-size:10.0pt; font-family:"Helvetica","sans-serif"; color:black">Rgds,<br>
--<br>
<b>Dave Bevan<br>
</b>Senior Broadcast Systems Developer<br>
<b><font color="FF0000">News Labs, </font>BBC Design & Engineering</b><br>
<br>
<a href="http://bbcnewslabs.co.uk/">bbc</a></span><span style="font-size:10.0pt; font-family:"Helvetica","sans-serif"; color:black"><span style="font-size:10.0pt; font-family:"Helvetica","sans-serif"; color:black"><a href="http://bbcnewslabs.co.uk/">newslabs.co.uk</a>
</span><a href="http://bbc.co.uk/news/">bbc.co.uk/news</a></span><span style="font-size:10.0pt; font-family:"Tahoma","sans-serif"; color:black"></span></p>
<span style="font-family:"Arial","sans-serif"; color:black"></span></div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<p></p>
<p class="03f74a2a-0efc-4208-a99d-cf868a1f9baa"> </p>
<p class="03f74a2a-0efc-4208-a99d-cf868a1f9baa">----------------------------<br>
<font size="3" face="Times New Roman"><font size="3" face="Times New Roman"><font size="3" face="Times New Roman"><br>
<font size="3" face="Times New Roman"><a href="http://www.bbc.co.uk" target="_blank">http://www.<span class="il">bbc</span>.<span class="il">co</span>.<span class="il">uk</span></a><br>
This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the
<span class="il">BBC</span> unless specifically stated.<br>
If you have received it in error, please delete it from your system.<br>
Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately.<br>
Please note that the <span class="il">BBC</span> monitors e-mails sent or received.<br>
Further communication will signify your consent to this.</font></font></font></font></p>
<p class="03f74a2a-0efc-4208-a99d-cf868a1f9baa">---------------------</p>
</body>
</html>