Item7709: The default {AccesibleENV} in lib/TWiki.spec is too strict

The default {AccesibleENV} value in lib/TWiki.spec is too strict. There's no danger in exposing SSL_CLIENT params (they're sent from the client's certificate). Also, SSL_PROTOCOL and CIPHER are visible from the client, so there's no point in hiding them.

They are useful when debugging TLS (SSL) problems, especially with X.509 authentication. And for warning of certificate expiration.

I suggest changing the default to:

TTWiki::cfg{AccessibleENV} = '^(HTTP_\\w+|REMOTE_\\w+|SERVER_\\w+|REQUEST_\\w+|MOD_PERL|SSL_CLIENT_.*|SSL_(?:CIPHER(?:_\w+)*|PROTOCOL))$'

Although any site can make the change, it's a Perl regexp and I expect that most sites won't.

Here's an example of how I use many of these variables. It might be worth adapting for the default home page. (Note that I require an SSL Client certificate for access - see X509Plugin):

From the top of my main page:

=<sticky>Certificate: [[ConnectionStatus][]] IF{ "$ 'ENV{SSL_CLIENT_V_REMAIN}' <= 60" then=" <span style='background-color:#ff7b3d;'>expires in days, on </span>" }: Syntax error in '$ 'ENV{SSL_CLIENT_V_REMAIN}' <= 60' at ' <= 60' </sticky>=

And the ConnectionStatus page:

<sticky><table style="width:100%;"><tr><td style="text-align:left">
---+ Connection and certificate status
<td style="text-align=right"> IF{ "%IP%=4" else="<nop><img alt=\"IPv6 Icon\" src=\"/pub/Bugs/WebHome/IPv6-green.png\"/>" then="<img alt=\"IPv4 Icon\" src=\"/pub/Bugs/WebHome/IPv4-gray.png\"/>" }: Syntax error in '%IP%=4' at '%IP%=4' </table></sticky>

Details of your secure connection's protocol and identity certificate:

| Connection | from 44.197.101.251 ||
| Cipher | ||
| Key type | , signed with ||
| Certificate issuer | ||
| Certificate subject | ||
| Certificate valid | to ||

-- TWiki:Main/TimotheLitt - 2016-01-09

Agreed. This is a "no-brainer" change, e.g .does not require a feature proposal. Feel free to fix in trunk and 6.0 branch.

-- TWiki:Main.PeterThoeny - 2016-01-11