-
Notifications
You must be signed in to change notification settings - Fork 285
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[mod_openssl] ignore client verification error if not enforced #83
[mod_openssl] ignore client verification error if not enforced #83
Conversation
ignore client verification error if not enforced e.g. *not* ssl.verifyclient.enforce = "enable" github: closes lighttpd#83 x-ref: "ignore client verification error if not enforced" lighttpd#83
Thanks. That diff is much more readable. |
d57d25d
to
c8c0c3f
Compare
Oops, I pushed a new commit right now... have you already merged it to master? |
I did push to master, though for some reason the commit hook did not push back to github. It's on git.lighttpd.net. |
I did a minor modification to the verify callback. I reused the If it is not too late, you may consider this improvement. Sorry about that |
What is the benefit of that change? (Yes, it can be made if it makes sense.) The patch I took (the earlier patch) followed the example in https://wiki.openssl.org/index.php/Manual:SSL_CTX_set_verify(3)#EXAMPLES and your new commit differs from the example. Would you please explain why? |
This benefits are:
|
I tested with valgrind and there is no leaks and no errors with the latest version of openssl (1.1.0-dev).
|
I don't see that in the patch below.
I did not test with latest openssl. What error existed prior to your latest patch? However, I did accidentally let you insert two literal tabs ('\t') in your patch, in a .c file without literal tabs, so I plan to remove them. Please review the diff of your latest patch with what I committed to 04d510a in https://github.com/gstrauss/lighttpd.1.4 Are there any differences other than what I posted above? |
c8c0c3f
to
4051050
Compare
ignore client verification error if not enforced e.g. *not* ssl.verifyclient.enforce = "enable" github: closes lighttpd#83 x-ref: "ignore client verification error if not enforced" lighttpd#83
Right, I just reuse the variable
I am fixing the tab and push force on this branch. |
Instead of force-push, please add a new commit so that I can more easily cherry-pick it. Thanks. |
a new commit on top of 04d510a? |
With development version of openssl, gcc complains about: mod_openssl.c: In function ‘verify_callback’: mod_openssl.c:239:51: error: dereferencing pointer to incomplete type ‘X509_STORE_CTX {aka struct x509_store_ctx_st}’ X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, sizeof(buf)); ^~ This also fixes an indentation mismatch.
4051050
to
3db284e
Compare
Just looked at the openssl code. Now i see that err_cert = X509_STORE_CTX_get_current_cert(ctx) is the same result as ctx->current_cert, though that structure is private in openssl 1.1.0. Thank you for testing with openssl 1.1.0 and for the rest of your thorough testing. Still, X509_STORE_CTX_get_current_cert() is not present in openssl 1.0.1 (different than 1.1.0), but that interface appears in 1.0.2. Therefore, we need to use ctx->current_cert on versions earlier than openssl 1.0.2. Also, the openssl manual page notes:
[edit] openssl 1.0.1 reached end-of-life at the end of 2016, but there are still some OS vendors supposedly supporting it until their long term releases reach end-of-life. |
i need to test this with 1.0.1 before pushing to master:
|
A modification needs to be made to what was committed. X509_NAME_oneline() is deprecated.
Besides X509_NAME_oneline() function being deprecated, until fairly recently, there was a security issue with the function, too. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176
Please consider using X509_NAME_print_ex() and propose a reasonable set of flags for a consistent and still-useful result. The above was also noted in https://redmine.lighttpd.net/issues/2693 and related pull request #63 |
Okay. I will check for that. I am currently on holliday, but I will find a moment to fix and test this issue. |
Enjoy your holiday. I have what I think is a solution, and I plan to test and push tomorrow. |
Hi,
Here is the change with every commits squashed in a single commit, as discussed here.
Regards,
Gaël