Project

General

Profile

Feature #2693

[PATCH] support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DN

Added by mackyle over 1 year ago. Updated 4 months ago.

Status:
Need Feedback
Priority:
Low
Assignee:
-
Category:
TLS
Target version:
Start date:
2015-12-03
Due date:
% Done:

0%

Missing in 1.5.x:

Description

SSL_CLIENT_VERIFY is set to "NONE", "SUCCESS" or "FAILED:reason".
This is compatible with Apache's mod_ssl variable of the same name.

SSL_CLIENT_S_DN is set to the oneline version of the client certificate
subject's distinguished name and may be used as a setting for the
ssl.verifyclient.username config option. When Apache's mod_ssl is
configured to use 'FakeBasicAuth' it uses the SSL_CLIENT_S_DN value for
the username (that ultimately may end up in REMOTE_USER). The value
that will be set for SSL_CLIENT_S_DN may be determined using the
`openssl x509 -noout -subject -in <cert.pem>` command.

Patch file attached.

See also http://repo.or.cz/lighttpd/svnmirror/patches.git/commitdiff/fdd341bf

Associated revisions

Revision 6155d7d9 (diff)
Added by gstrauss 7 months ago

[TLS] set SSL_CLIENT_VERIFY w/ client cert (#1288, #2693)

(enabled with lighttpd.conf: ssl.verifyclient.activate = "enable")

x-ref:
"SSL Client Certificate validation."
https://redmine.lighttpd.net/issues/1288
"[PATCH] support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DN"
https://redmine.lighttpd.net/issues/2693

History

#1 Updated by gstrauss 12 months ago

  • Category changed from core to TLS

#3 Updated by gstrauss 10 months ago

  • Assignee deleted (stbuehler)
  • Missing in 1.5.x deleted (Yes)

#4 Updated by gstrauss 4 months ago

  • Status changed from New to Need Feedback
  • Priority changed from Normal to Low

SSL_CLIENT_VERIFY has been implemented.

SSL_CLIENT_S_DN has not been implemented, and I am not quite convinced it is needed when there are other recommended solutions. According to X509_NAME_oneline() (https://linux.die.net/man/3/x509_name_oneline)

Notes

The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.

As an alternative, lighttpd does provide SSL_CLIENT_S_DN_* components, which can be used with e.g.
ssl.verifyclient.username = "SSL_CLIENT_S_DN_UID"
or
ssl.verifyclient.username = "SSL_CLIENT_S_DN_emailAddress"

Is there still a desire to have lighttpd provide SSL_CLIENT_S_DN, given the limitations described above, as well as the alternatives available?

--- a/src/response.c
+++ b/src/response.c
@@ -180,6 +180,16 @@ static void https_add_ssl_client_entries(server *srv, connection *con) {
        }

        {
+               char *s_dn = X509_NAME_oneline(xn, NULL, 0);
+               if (NULL != s_dn) {
+                       array_set_key_value(con->environment,
+                                           CONST_STR_LEN("SSL_CLIENT_S_DN"),
+                                           s_dn, strlen(s_dn));
+                       OPENSSL_free(s_dn);
+               }
+       }
+
+       {
                ASN1_INTEGER *xsn = X509_get_serialNumber(xs);
                BIGNUM *serialBN = ASN1_INTEGER_to_BN(xsn, NULL);
                char *serialHex = BN_bn2hex(serialBN);

#5 Updated by gstrauss 4 months ago

Besides X509_NAME_oneline() function being deprecated, until fairly recently, there was a security issue with the function, too.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176

The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.

#6 Updated by gstrauss 4 months ago

If this feature is still desired, please see what was posted on https://github.com/lighttpd/lighttpd1.4/pull/63 over two months ago:

Please consider using X509_NAME_print_ex() and propose a reasonable set of flags for a consistent and still-useful result.

Also available in: Atom