https://redmine.lighttpd.net/https://redmine.lighttpd.net/favicon.ico?13667327412016-05-01T07:10:35Zlighty labsLighttpd - Feature #2693: [PATCH] support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DNhttps://redmine.lighttpd.net/issues/2693?journal_id=95262016-05-01T07:10:35Zgstrauss
<ul><li><strong>Category</strong> changed from <i>core</i> to <i>TLS</i></li></ul> Lighttpd - Feature #2693: [PATCH] support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DNhttps://redmine.lighttpd.net/issues/2693?journal_id=95802016-05-11T02:38:12Zmackyle
<ul></ul><p>Updated to reflect deprecation of svn repository:</p>
<p><a class="external" href="http://repo.or.cz/lighttpd/gitmirror/patches.git/commitdiff/refs/heads/patch/extra-vars">http://repo.or.cz/lighttpd/gitmirror/patches.git/commitdiff/refs/heads/patch/extra-vars</a></p>
<p><a class="external" href="https://github.com/lighttpd/lighttpd1.4/pull/63">https://github.com/lighttpd/lighttpd1.4/pull/63</a></p> Lighttpd - Feature #2693: [PATCH] support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DNhttps://redmine.lighttpd.net/issues/2693?journal_id=98192016-07-06T02:26:04Zgstrauss
<ul><li><strong>Assignee</strong> deleted (<del><i>stbuehler</i></del>)</li><li><strong>Missing in 1.5.x</strong> deleted (<del><i>Yes</i></del>)</li></ul> Lighttpd - Feature #2693: [PATCH] support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DNhttps://redmine.lighttpd.net/issues/2693?journal_id=106822016-12-20T16:08:04Zgstrauss
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Need Feedback</i></li><li><strong>Priority</strong> changed from <i>Normal</i> to <i>Low</i></li></ul><p>SSL_CLIENT_VERIFY has been implemented.</p>
<p>SSL_CLIENT_S_DN has not been implemented, and I am not quite convinced it is needed when there are other recommended solutions. According to X509_NAME_oneline() (<a class="external" href="https://linux.die.net/man/3/x509_name_oneline">https://linux.die.net/man/3/x509_name_oneline</a>)</p>
<blockquote>
<p>Notes</p>
<p>The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.</p>
</blockquote>
<p>As an alternative, lighttpd does provide SSL_CLIENT_S_DN_* components, which can be used with e.g.<br /> ssl.verifyclient.username = "SSL_CLIENT_S_DN_UID" <br />or<br /> ssl.verifyclient.username = "SSL_CLIENT_S_DN_emailAddress"</p>
<p>Is there still a desire to have lighttpd provide SSL_CLIENT_S_DN, given the limitations described above, as well as the alternatives available?</p>
<pre>
--- a/src/response.c
+++ b/src/response.c
@@ -180,6 +180,16 @@ static void https_add_ssl_client_entries(server *srv, connection *con) {
}
{
+ char *s_dn = X509_NAME_oneline(xn, NULL, 0);
+ if (NULL != s_dn) {
+ array_set_key_value(con->environment,
+ CONST_STR_LEN("SSL_CLIENT_S_DN"),
+ s_dn, strlen(s_dn));
+ OPENSSL_free(s_dn);
+ }
+ }
+
+ {
ASN1_INTEGER *xsn = X509_get_serialNumber(xs);
BIGNUM *serialBN = ASN1_INTEGER_to_BN(xsn, NULL);
char *serialHex = BN_bn2hex(serialBN);
</pre> Lighttpd - Feature #2693: [PATCH] support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DNhttps://redmine.lighttpd.net/issues/2693?journal_id=106832016-12-20T16:13:18Zgstrauss
<ul></ul><p>Besides X509_NAME_oneline() function being deprecated, until fairly recently, there was a security issue with the function, too.</p>
<p><a class="external" href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176</a></p>
<blockquote>
<p>The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.</p>
</blockquote> Lighttpd - Feature #2693: [PATCH] support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DNhttps://redmine.lighttpd.net/issues/2693?journal_id=106842016-12-20T16:24:25Zgstrauss
<ul></ul><p>If this feature is still desired, please see what was posted on <a class="external" href="https://github.com/lighttpd/lighttpd1.4/pull/63">https://github.com/lighttpd/lighttpd1.4/pull/63</a> over two months ago:</p>
<blockquote>
<p>Please consider using X509_NAME_print_ex() and propose a reasonable set of flags for a consistent and still-useful result.</p>
</blockquote> Lighttpd - Feature #2693: [PATCH] support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DNhttps://redmine.lighttpd.net/issues/2693?journal_id=110392017-05-21T04:32:24Zgstrauss
<ul><li><strong>Status</strong> changed from <i>Need Feedback</i> to <i>Patch Pending</i></li><li><strong>Target version</strong> changed from <i>1.4.x</i> to <i>1.4.46</i></li></ul> Lighttpd - Feature #2693: [PATCH] support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DNhttps://redmine.lighttpd.net/issues/2693?journal_id=110402017-05-21T04:45:09Zgstrauss
<ul><li><strong>Status</strong> changed from <i>Patch Pending</i> to <i>Fixed</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="[mod_openssl] safer_X509_NAME_oneline() (fixes #2693) provide a safer X590_NAME_oneline() with r..." href="https://redmine.lighttpd.net/projects/lighttpd/repository/14/revisions/fb87ae860481cd2ab3da9451faaaf7987ae8a645">fb87ae860481cd2ab3da9451faaaf7987ae8a645</a>.</p>