Project

General

Profile

Bug #2531

disabling ssl.verifyclient.activate does not work in SNI

Added by flynn almost 4 years ago. Updated over 1 year ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
Start date:
2013-11-21
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:
No

Description

If try to assign different values (enable/disable) to ssl.verifyclient.activate depending on $HTTP["host"] does not work. The first (global) setting is always active, changing it in a $HTTP["host"]{} block does not have any effect. Other settings like ssl.pemfile and ssl.ca-file work perfect depending on the hostname.

I want to have on the same IP/port different https-servers, some with client-certifcate authentication, some without. At the moment I must switch on for all and tell the users to ignore the client certificate request for some hostnames.

I'm not sure whether this a limitiation in SNI or a bug in lighttpd.

Associated revisions

Revision 3107 (diff)
Added by stbuehler over 1 year ago

[ssl] support disabling ssl.verifyclient.activate in SNI callback (fixes #2531)

From: Stefan Bühler <>

Revision 00063098 (diff)
Added by stbuehler over 1 year ago

[ssl] support disabling ssl.verifyclient.activate in SNI callback (fixes #2531)

From: Stefan Bühler <>

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@3107 152afb58-edef-0310-8abb-c4023f1b3aa9

History

#1 Updated by flynn almost 4 years ago

With the newest patches from bug #2525 it works now (found in the current debian package), if
- the global setting (.e.g. inside $SERVER["socket"] "0.0.0.0:443" { ...) of ssl.verifyclient.activate is "disable"
- inside a $HTTP["host"] "..." {
ssl.verifyclient.activate ist "enable"

The other way:
- global setting ssl.verifyclient.activate is "enable"
- per hostname disable ssl.verifyclient.activate
still does not work.

#2 Updated by flynn almost 2 years ago

To whom it may belong ...

This ticket can be closed, I cannot do it.

There is no option to change the status of a ticket.

#3 Updated by stbuehler over 1 year ago

  • Subject changed from ssl.verifyclient.activate does not work with SNI to disabling ssl.verifyclient.activate does not work in SNI
  • Target version set to 1.4.40

I think this actually is a bug :) I'll keep it open for now.

network_ssl_servername_callback() only enables verify-client if needed, but doesn't disable it.

#4 Updated by gstrauss over 1 year ago

I think this ticket can now be closed.

The following commit updated ssl.verifyclient.activate from T_CONFIG_SCOPE_SERVER to T_CONFIG_SCOPE_CONNECTION

commit c512345fa2830b7e0f4fe67ab626e9d9ba0644c4
Author: Stefan Bühler <stbuehler@web.de>
Date:   Sat Nov 7 12:51:11 2015 +0000

    [config] check config option scope; warn if server option is given in condit
ional

    From: Stefan Bühler <stbuehler@web.de>

    git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@3049 152
afb58-edef-0310-8abb-c4023f1b3aa9

network_ssl_servername_callback() patches the config after setting $SERVER["socket"], $HTTP["scheme"], and $HTTP["host"], so from a visual inspection, it looks as if con->conf.ssl_verifyclient will be set to the configured value as long as it is configured in one of those scopes, and not nested in other scopes or part of an if-else chain where earlier conditions in the if-else chain are other scopes (which are not able to be evaluated yet).

#5 Updated by stbuehler over 1 year ago

gstrauss wrote:

I think this ticket can now be closed.

No.

stbuehler wrote:

network_ssl_servername_callback() only enables verify-client if needed, but doesn't disable it.

If verify-client is enabled on the SSL_CTX (with SSL_CTX_set_verify), the SSL session will inherit this option. The network_ssl_servername_callback() SNI callback needs to disable the option if it isn't active in SNI context anymore.

#6 Updated by gstrauss over 1 year ago

Ah. Thanks for the pointers. Since SSL_set_verify() is very quick (it uses the params to set a couple flags), how does this patch look?

diff --git a/src/network.c b/src/network.c
index 48491e0..ebcc6ea 100644
--- a/src/network.c
+++ b/src/network.c
@@ -151,6 +151,8 @@ static int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) {
                        NULL
                );
                SSL_set_verify_depth(ssl, con->conf.ssl_verifyclient_depth);
+       } else {
+               SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
        }

        return SSL_TLSEXT_ERR_OK;

#7 Updated by stbuehler over 1 year ago

Yes, looks fine - thanks.

#8 Updated by stbuehler over 1 year ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r3107.

Also available in: Atom