Project

General

Profile

Feature #2268

Set serial number of the client certificate into environment

Added by cicik almost 7 years ago. Updated 12 months ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
TLS
Target version:
Start date:
2010-10-23
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

During SSL client validation there is no certificate's serial number set into environment.
We can't read this in backends such as PHP. There was a patch for lighttpd 1.4.19 but it won't work with current versions. I think it's good idea to include this in main branch.

I attach a patch for lighttpd 1.4.28.

lighttpd-1.4.28-clientvalidation-serialenv.patch (1.11 KB) lighttpd-1.4.28-clientvalidation-serialenv.patch Patch to set serial number of the client certificate into environment cicik, 2010-10-23 14:01

Related issues

Has duplicate Feature #2652: [patch] Add additional SSL env variables for strict client certificate authentication and authorizationDuplicate2015-07-04

Associated revisions

Revision daab6f5c (diff)
Added by gstrauss 12 months ago

[TLS] set SSL_CLIENT_M_SERIAL w/ client cert SN (fixes #2268)

x-ref:
"Set serial number of the client certificate into environment"
https://redmine.lighttpd.net/issues/2268

History

#1 Updated by stbuehler over 6 years ago

  • Target version changed from 1.4.29 to 1.4.x

I thought i already said that somewhere (perhaps in the original ssl client cert ticket); i'd like to have a more "complete" list of things we want to export to backends (and i'd like to avoid the copy/paste style), and perhaps a sane way to configure them.

I don't like having dozens of patches for every single item...

#2 Updated by cicik over 3 years ago

Three years later the problem still exists...

#3 Updated by cicik over 3 years ago

  • Target version changed from 1.4.x to 1.4.36

#4 Updated by stbuehler over 3 years ago

  • Target version changed from 1.4.36 to 1.4.x

And why do you think modifying the target version helps?

#5 Updated by cicik over 3 years ago

I simply don't understand why you don't want to put tested solution in next release. Some people found it useful to have variable with certificate's serial number. These people made appropriate change for community in source code. And this change has been blocked for three years.... I don't understand. For three yers each time I want to update lighttpd on debian I have to download source code of the pachage, apply patch, compile and install.... waste of time.

#6 Updated by stbuehler over 3 years ago

I don't like how the patch is doing it, and my first comment says what I'd like the patch to be. (There is no "assigning" in who "has" to do that; but obviously I didn't find the time to do it).

Telling maintainers to ignore implementation details of "tested" patches is rude - because they have to maintain them in the end.

#7 Updated by gstrauss over 1 year ago

  • Category changed from core to TLS

#8 Updated by gstrauss about 1 year ago

  • Missing in 1.5.x deleted (Yes)

#9 Updated by gstrauss 12 months ago

  • Related to Feature #2652: [patch] Add additional SSL env variables for strict client certificate authentication and authorization added

#10 Updated by gstrauss 12 months ago

  • Related to deleted (Feature #2652: [patch] Add additional SSL env variables for strict client certificate authentication and authorization)

#11 Updated by gstrauss 12 months ago

  • Has duplicate Feature #2652: [patch] Add additional SSL env variables for strict client certificate authentication and authorization added

#12 Updated by gstrauss 12 months ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.42

stbuehler wrote:

Telling maintainers to ignore implementation details of "tested" patches is rude - because they have to maintain them in the end.

I second that. Case in point: cicik, your very simple patch has an obvious memory leak. BN_bn2hex() returns an allocated string which must be passed to OPENSSL_free(), which is clearly documented in the manpage for BN_bn2hex.

#13 Updated by gstrauss 12 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom