Project

General

Profile

Feature #2694

[PATCH] add support for ssl.cadn-file

Added by mackyle over 1 year ago. Updated 13 days ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
TLS
Target version:
Start date:
2015-12-03
Due date:
% Done:

100%

Missing in 1.5.x:

Description

If ssl.cadn-file is not set, fallback to ssl.ca-file.

The ssl.cadn-file option provides independent control of
the "certificate_authorities" field (see RFC 5246 section
7.4.4 Certificate Request) separate from the actual list
of trusted certificate authorities used for client
certificate verification.

It may be necessary to send a hint that includes the DN
of a non-root client CA in order to receive the correct
certificate from the client, but such a non-root CA really
does not belong in the trusted client root CA list.

Patch file attached.

See also http://repo.or.cz/lighttpd/svnmirror/patches.git/commitdiff/40b4cee1

0008-ssl-add-support-for-ssl.cadn-file_patch.txt View (4.49 KB) mackyle, 2015-12-03 23:02

0003-ssl-add-support-for-ssl.cadn-file_patch.txt View (4.47 KB) mackyle, 2016-03-26 20:58

ca-crl-1.4.41.patch View - Revocation list patch for version 1.4.41 (unrelated to this ticket; see #2319) (3.56 KB) flynn, 2016-08-02 09:35

Associated revisions

Revision 0399609a (diff)
Added by gstrauss 13 days ago

[mod_openssl] ssl.ca-dn-file (fixes #2694)

(original patch by mackyle)

The ssl.ca-dn-file option provides independent control of
the "certificate_authorities" field (see RFC 5246 section
7.4.4 Certificate Request) separate from the actual list
of trusted certificate authorities used for client
certificate verification.

It may be necessary to send a hint that includes the DN
of a non-root client CA in order to receive the correct
certificate from the client, but such a non-root CA really
does not belong in the trusted client root CA list.

Signed-off-by: Kyle J. McKay

github: closes #64

x-ref:
"add support for ssl.cadn-file"
https://redmine.lighttpd.net/issues/2694
https://github.com/lighttpd/lighttpd1.4/pull/64

History

#1 Updated by mackyle about 1 year ago

A recent change ([stat] mimetype.xattr-name global config option) broke this patch.

An updated patch is attached. The two preceding parts to this SSL series (#2693 and #2692) are not affected.

See also http://repo.or.cz/lighttpd/svnmirror/patches.git/commitdiff/91469a0d

#2 Updated by gstrauss about 1 year ago

  • Category changed from core to TLS

#4 Updated by gstrauss 11 months ago

  • Assignee deleted (stbuehler)
  • Missing in 1.5.x deleted (Yes)

#5 Updated by flynn 10 months ago

I updated the patch for version 1.4.41.
Can this make it into version 1.4.42?

#6 Updated by gstrauss 10 months ago

Patches are much more likely to be included if there is someone with whom I can discuss the patches, and who can reliably test lighttpd once those patches have been applied (and before the patches are included in a lighttpd release).

mackyle had posted a few pull requests, including 62, 63, and 64
I left quite a few comments in https://github.com/lighttpd/lighttpd1.4/pull/63 but unfortunately got no response, and I am hesitant to spend time reviewing and maintaining drive-by patch dumps.

https://github.com/lighttpd/lighttpd1.4/pull/62
https://github.com/lighttpd/lighttpd1.4/pull/63
https://github.com/lighttpd/lighttpd1.4/pull/64

The patch you updated (above) is also submitted as a pull request at https://github.com/lighttpd/lighttpd1.4/pull/64

#7 Updated by gstrauss 13 days ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.46

Please note that flynn's patch above is related to #2319, not this ticket.

#8 Updated by gstrauss 13 days ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom