Project

General

Profile

Actions

Feature #2694

closed

[PATCH] add support for ssl.cadn-file

Added by mackyle almost 8 years ago. Updated over 6 years ago.

Status:
Fixed
Priority:
Normal
Category:
TLS
Target version:
ASK QUESTIONS IN Forums:

Description

If ssl.cadn-file is not set, fallback to ssl.ca-file.

The ssl.cadn-file option provides independent control of
the "certificate_authorities" field (see RFC 5246 section
7.4.4 Certificate Request) separate from the actual list
of trusted certificate authorities used for client
certificate verification.

It may be necessary to send a hint that includes the DN
of a non-root client CA in order to receive the correct
certificate from the client, but such a non-root CA really
does not belong in the trusted client root CA list.

Patch file attached.

See also http://repo.or.cz/lighttpd/svnmirror/patches.git/commitdiff/40b4cee1


Files

0008-ssl-add-support-for-ssl.cadn-file_patch.txt (4.49 KB) 0008-ssl-add-support-for-ssl.cadn-file_patch.txt mackyle, 2015-12-03 23:02
0003-ssl-add-support-for-ssl.cadn-file_patch.txt (4.47 KB) 0003-ssl-add-support-for-ssl.cadn-file_patch.txt mackyle, 2016-03-26 20:58
ca-crl-1.4.41.patch (3.56 KB) ca-crl-1.4.41.patch Revocation list patch for version 1.4.41 (unrelated to this ticket; see #2319) flynn, 2016-08-02 09:35
Actions #1

Updated by mackyle over 7 years ago

A recent change ([stat] mimetype.xattr-name global config option) broke this patch.

An updated patch is attached. The two preceding parts to this SSL series (#2693 and #2692) are not affected.

See also http://repo.or.cz/lighttpd/svnmirror/patches.git/commitdiff/91469a0d

Actions #2

Updated by gstrauss over 7 years ago

  • Category changed from core to TLS
Actions #4

Updated by gstrauss over 7 years ago

  • Assignee deleted (stbuehler)
  • Missing in 1.5.x deleted (Yes)
Actions #5

Updated by flynn over 7 years ago

I updated the patch for version 1.4.41.
Can this make it into version 1.4.42?

Actions #6

Updated by gstrauss over 7 years ago

Patches are much more likely to be included if there is someone with whom I can discuss the patches, and who can reliably test lighttpd once those patches have been applied (and before the patches are included in a lighttpd release).

mackyle had posted a few pull requests, including 62, 63, and 64
I left quite a few comments in https://github.com/lighttpd/lighttpd1.4/pull/63 but unfortunately got no response, and I am hesitant to spend time reviewing and maintaining drive-by patch dumps.

https://github.com/lighttpd/lighttpd1.4/pull/62
https://github.com/lighttpd/lighttpd1.4/pull/63
https://github.com/lighttpd/lighttpd1.4/pull/64

The patch you updated (above) is also submitted as a pull request at https://github.com/lighttpd/lighttpd1.4/pull/64

Actions #7

Updated by gstrauss over 6 years ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.46

Please note that flynn's patch above is related to #2319, not this ticket.

Actions #8

Updated by gstrauss over 6 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
Actions

Also available in: Atom