Context Navigation

source: mod_gnutls/debian/patches/fix-tls-client-auth.patch @ 2db6923

Visit:

debian/masterdebian/stretch-backportsjessie-backports

Last change on this file since 2db6923 was 2db6923, checked in by Daniel Kahn Gillmor <dkg@…>, 7 years ago
refresh patches with gbp pq
Property mode set to `100644`
File size: 2.0 KB

Rev	Line
[78c6829]	1	From: Thomas Klute <thomas2.klute@uni-dortmund.de>
	2	Date: Thu, 5 Feb 2015 14:48:45 +0100
[2db6923]	3	Subject: TLS Client auth: Check server verify mode if unset for dir
[78c6829]	4
	5	The authentication hook (mgs_hook_authz) failed to consider the server's
	6	client verify mode, even if the verify mode was unset in the directory
	7	configuration. As a result, invalid certificates were ignored and
	8	clients could connect and receive data as long as they presented any
	9	certificate whatsoever. Logs showed that authorization was granted
	10	despite the certificate being invalid (timestamps removed for
	11	readability):
	12
	13	[:debug] [pid 10806:tid 140242057148160] gnutls_hooks.c(1198): [client ::1:40992] GnuTLS: Verifying list of 1 certificate(s) via method 'cartel'
	14	[:info] [pid 10806:tid 140242057148160] [client ::1:40992] GnuTLS: Could not find Signer for Peer Certificate
	15	[:info] [pid 10806:tid 140242057148160] [client ::1:40992] GnuTLS: Peer Certificate is invalid.
	16	[authz_core:debug] [pid 10806:tid 140242057148160] mod_authz_core.c(835): [client ::1:40992] AH01628: authorization result: granted (no directives)
	17
	18	This commit adds a check for undefined verify mode in the directory
	19	configuration and applies the server wide configuration in that case.
	20	---
	21	src/gnutls_hooks.c \| 9 ++++++---
	22	1 file changed, 6 insertions(+), 3 deletions(-)
	23
[2db6923]	24	diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
	25	index 1c2e094..e6e7a67 100644
	26	--- a/src/gnutls_hooks.c
	27	+++ b/src/gnutls_hooks.c
[78c6829]	28	@@ -871,9 +871,12 @@ int mgs_hook_authz(request_rec * r) {
	29	return DECLINED;
	30	}
	31	rv = mgs_cert_verify(r, ctxt);
	32	- if (rv != DECLINED &&
	33	- (rv != HTTP_FORBIDDEN \|\|
	34	- dc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
	35	+ if (rv != DECLINED
	36	+ && (rv != HTTP_FORBIDDEN
	37	+ \|\| dc->client_verify_mode == GNUTLS_CERT_REQUIRE
	38	+ \|\| (dc->client_verify_mode == -1
	39	+ && ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUIRE)))
	40	+ {
	41	return rv;
	42	}
	43	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: