Project

General

Profile

Actions

Feature #2693

closed

[PATCH] support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DN

Added by mackyle over 8 years ago. Updated almost 7 years ago.

Status:
Fixed
Priority:
Low
Category:
TLS
Target version:
ASK QUESTIONS IN Forums:

Description

SSL_CLIENT_VERIFY is set to "NONE", "SUCCESS" or "FAILED:reason".
This is compatible with Apache's mod_ssl variable of the same name.

SSL_CLIENT_S_DN is set to the oneline version of the client certificate
subject's distinguished name and may be used as a setting for the
ssl.verifyclient.username config option. When Apache's mod_ssl is
configured to use 'FakeBasicAuth' it uses the SSL_CLIENT_S_DN value for
the username (that ultimately may end up in REMOTE_USER). The value
that will be set for SSL_CLIENT_S_DN may be determined using the
`openssl x509 -noout -subject -in <cert.pem>` command.

Patch file attached.

See also http://repo.or.cz/lighttpd/svnmirror/patches.git/commitdiff/fdd341bf


Files

Actions #1

Updated by gstrauss almost 8 years ago

  • Category changed from core to TLS
Actions #3

Updated by gstrauss over 7 years ago

  • Assignee deleted (stbuehler)
  • Missing in 1.5.x deleted (Yes)
Actions #4

Updated by gstrauss over 7 years ago

  • Status changed from New to Need Feedback
  • Priority changed from Normal to Low

SSL_CLIENT_VERIFY has been implemented.

SSL_CLIENT_S_DN has not been implemented, and I am not quite convinced it is needed when there are other recommended solutions. According to X509_NAME_oneline() (https://linux.die.net/man/3/x509_name_oneline)

Notes

The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.

As an alternative, lighttpd does provide SSL_CLIENT_S_DN_* components, which can be used with e.g.
ssl.verifyclient.username = "SSL_CLIENT_S_DN_UID"
or
ssl.verifyclient.username = "SSL_CLIENT_S_DN_emailAddress"

Is there still a desire to have lighttpd provide SSL_CLIENT_S_DN, given the limitations described above, as well as the alternatives available?

--- a/src/response.c
+++ b/src/response.c
@@ -180,6 +180,16 @@ static void https_add_ssl_client_entries(server *srv, connection *con) {
        }

        {
+               char *s_dn = X509_NAME_oneline(xn, NULL, 0);
+               if (NULL != s_dn) {
+                       array_set_key_value(con->environment,
+                                           CONST_STR_LEN("SSL_CLIENT_S_DN"),
+                                           s_dn, strlen(s_dn));
+                       OPENSSL_free(s_dn);
+               }
+       }
+
+       {
                ASN1_INTEGER *xsn = X509_get_serialNumber(xs);
                BIGNUM *serialBN = ASN1_INTEGER_to_BN(xsn, NULL);
                char *serialHex = BN_bn2hex(serialBN);
Actions #5

Updated by gstrauss over 7 years ago

Besides X509_NAME_oneline() function being deprecated, until fairly recently, there was a security issue with the function, too.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176

The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.

Actions #6

Updated by gstrauss over 7 years ago

If this feature is still desired, please see what was posted on https://github.com/lighttpd/lighttpd1.4/pull/63 over two months ago:

Please consider using X509_NAME_print_ex() and propose a reasonable set of flags for a consistent and still-useful result.

Actions #7

Updated by gstrauss almost 7 years ago

  • Status changed from Need Feedback to Patch Pending
  • Target version changed from 1.4.x to 1.4.46
Actions #8

Updated by gstrauss almost 7 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
Actions

Also available in: Atom