[Solved] Question: Possible Logging of Certificiate fingerprint etc. via access.log (also with invalid Client Cert)? => (mostly: yes; for invalid cert: no)
Added by Agossi about 1 year ago
Hi,
I just wanted to ask if it's possible to have the following information available in the access.log or something similiar.
- Fingerprint of certificate the user wants to connect to my lighttpd
- Certificate Information CN, DN , CA, Issuer etc.
I would also like to see connections which are being rejected by lighttpd when client certificate verification is enabled.
At the moment these are not recorded by access.log.
Any contribution is welcome, thank you
Replies (7)
RE: Question: Possible Logging of Certificiate fingerprint etc. via access.log (also with invalid Client Cert)? - Added by gstrauss about 1 year ago
I just wanted to ask if it's possible
Yes. Mostly.
I would also like to see
...you read the available documentation.
lighttpd TLS docs
mod_accesslog
mod_magnet
AbsoLUAtion
Any contribution is welcome, thank you
Good luck. Read the doc.
RE: [Solved] Question: Possible Logging of Certificiate fingerprint etc. via access.log (also with invalid Client Cert)? => (mostly: yes) - Added by Agossi about 1 year ago
THX ;)
RE: [Solved] Question: Possible Logging of Certificiate fingerprint etc. via access.log (also with invalid Client Cert)? => (mostly: yes) - Added by Agossi about 1 year ago
I was able to get the cert info etc as I need with lua and luaossl.
But if the certificate does not match the mod_magnet lua calls are not executed ( because they are rejected already by mod_openssl verifyclient).
Is there a possibility to get all client cert information like in the valid cert case with mod_magnet and lua before the request is rejected?
Thanks
RE: [Solved] Question: Possible Logging of Certificiate fingerprint etc. via access.log (also with invalid Client Cert)? => (mostly: yes) - Added by gstrauss about 1 year ago
Please read lighttpd TLS docs more carefully. See ssl.verifyclient.enforce
RE: [Solved] Question: Possible Logging of Certificiate fingerprint etc. via access.log (also with invalid Client Cert)? => (mostly: yes) - Added by Agossi about 1 year ago
I checked also with invalid cert and the following config:
ssl.verifyclient.ca-file = "/cert/ca.pem"
ssl.verifyclient.enforce = "disable"
ssl.verifyclient.activate = "enable"
ssl.verifyclient.exportcert = "enable"
ssl.verifyclient.username = "SSL_CLIENT_S_DN_CN"
but the cert is not exported in that case to the env:
2023-02-14 09:53:01: (mod_openssl.c.1046) SSL: verify error:num=20:unable to get local issuer certificate:depth=0:subject=CN = test.local
2023-02-14 09:53:01: (mod_openssl.c.1057) SSL: issuer=C = DE, O = Test GmbH, OU = IT, ST = Olalala, CN = SuchANiceCN, L = LL
2023-02-14 09:53:01: (mod_magnet.c.421) (lua-print) SERIAL:0
Is there a way to get the client cert in this case also?
RE: [Solved] Question: Possible Logging of Certificiate fingerprint etc. via access.log (also with invalid Client Cert)? => (mostly: yes) - Added by gstrauss about 1 year ago
I checked also with invalid cert ... but the cert is not exported in that case
Is there a way to get the client cert in this case also?
Ah. No. An invalid cert is not exported since it is not valid and therefore not used.
You'll need to patch code into the lighttpd TLS modules in the client certificate validation routines to save this information somewhere if you need to access it later in the request.
You originally posted:
I would also like to see connections which are being rejected by lighttpd when client certificate verification is enabled.
That is a desire and is lacking any convincing technical justification. As such, there is no reason for me to consider this feature request.
P.S. I would consider contributed patches to make small modifications to the error log trace in the TLS modules (e.g. mod_openssl.c lines 1046 or 1057)
RE: [Solved] Question: Possible Logging of Certificiate fingerprint etc. via access.log (also with invalid Client Cert)? => (mostly: yes; for invalid cert: no) - Added by Agossi about 1 year ago
Thanks again for your help.
Adding additional logging to mod_openssl would be necessary because of the client verification enforcement the mod_magnet is not called after a rejected cert right?
I want to prevent duplicate code parts, so logging via mod_magnet and mod_openssl.
Is it be possible to store the CERT in any case as the lighty.r.req_env["SSL_CLIENT_CERT"] and get info although enforced client cert is set?