Bug #2531
closeddisabling ssl.verifyclient.activate does not work in SNI
Description
If try to assign different values (enable/disable) to ssl.verifyclient.activate depending on $HTTP["host"] does not work. The first (global) setting is always active, changing it in a $HTTP["host"]{} block does not have any effect. Other settings like ssl.pemfile and ssl.ca-file work perfect depending on the hostname.
I want to have on the same IP/port different https-servers, some with client-certifcate authentication, some without. At the moment I must switch on for all and tell the users to ignore the client certificate request for some hostnames.
I'm not sure whether this a limitiation in SNI or a bug in lighttpd.
Updated by flynn about 11 years ago
With the newest patches from bug #2525 it works now (found in the current debian package), if
- the global setting (.e.g. inside $SERVER["socket"] "0.0.0.0:443" { ...) of ssl.verifyclient.activate is "disable"
- inside a $HTTP["host"] "..." {
ssl.verifyclient.activate ist "enable"
The other way:
- global setting ssl.verifyclient.activate is "enable"
- per hostname disable ssl.verifyclient.activate
still does not work.
Updated by flynn about 9 years ago
To whom it may belong ...
This ticket can be closed, I cannot do it.
There is no option to change the status of a ticket.
Updated by stbuehler almost 9 years ago
- Subject changed from ssl.verifyclient.activate does not work with SNI to disabling ssl.verifyclient.activate does not work in SNI
- Target version set to 1.4.40
I think this actually is a bug :) I'll keep it open for now.
network_ssl_servername_callback()
only enables verify-client if needed, but doesn't disable it.
Updated by gstrauss almost 9 years ago
I think this ticket can now be closed.
The following commit updated ssl.verifyclient.activate from T_CONFIG_SCOPE_SERVER to T_CONFIG_SCOPE_CONNECTION
commit c512345fa2830b7e0f4fe67ab626e9d9ba0644c4 Author: Stefan Bühler <stbuehler@web.de> Date: Sat Nov 7 12:51:11 2015 +0000 [config] check config option scope; warn if server option is given in condit ional From: Stefan Bühler <stbuehler@web.de> git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@3049 152 afb58-edef-0310-8abb-c4023f1b3aa9
network_ssl_servername_callback() patches the config after setting $SERVER["socket"], $HTTP["scheme"], and $HTTP["host"], so from a visual inspection, it looks as if con->conf.ssl_verifyclient will be set to the configured value as long as it is configured in one of those scopes, and not nested in other scopes or part of an if-else chain where earlier conditions in the if-else chain are other scopes (which are not able to be evaluated yet).
Updated by stbuehler almost 9 years ago
gstrauss wrote:
I think this ticket can now be closed.
No.
stbuehler wrote:
network_ssl_servername_callback()
only enables verify-client if needed, but doesn't disable it.
If verify-client is enabled on the SSL_CTX
(with SSL_CTX_set_verify
), the SSL
session will inherit this option. The network_ssl_servername_callback()
SNI callback needs to disable the option if it isn't active in SNI context anymore.
Updated by gstrauss almost 9 years ago
Ah. Thanks for the pointers. Since SSL_set_verify() is very quick (it uses the params to set a couple flags), how does this patch look?
diff --git a/src/network.c b/src/network.c index 48491e0..ebcc6ea 100644 --- a/src/network.c +++ b/src/network.c @@ -151,6 +151,8 @@ static int network_ssl_servername_callback(SSL *ssl, int *al, server *srv) { NULL ); SSL_set_verify_depth(ssl, con->conf.ssl_verifyclient_depth); + } else { + SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); } return SSL_TLSEXT_ERR_OK;
Updated by stbuehler almost 9 years ago
- Status changed from New to Fixed
- % Done changed from 0 to 100
Applied in changeset r3107.
Also available in: Atom