[78c6829] | 1 | From: Thomas Klute <thomas2.klute@uni-dortmund.de> |
---|
| 2 | Date: Thu, 5 Feb 2015 14:48:45 +0100 |
---|
[2db6923] | 3 | Subject: TLS Client auth: Check server verify mode if unset for dir |
---|
[78c6829] | 4 | |
---|
| 5 | The authentication hook (mgs_hook_authz) failed to consider the server's |
---|
| 6 | client verify mode, even if the verify mode was unset in the directory |
---|
| 7 | configuration. As a result, invalid certificates were ignored and |
---|
| 8 | clients could connect and receive data as long as they presented any |
---|
| 9 | certificate whatsoever. Logs showed that authorization was granted |
---|
| 10 | despite the certificate being invalid (timestamps removed for |
---|
| 11 | readability): |
---|
| 12 | |
---|
| 13 | [:debug] [pid 10806:tid 140242057148160] gnutls_hooks.c(1198): [client ::1:40992] GnuTLS: Verifying list of 1 certificate(s) via method 'cartel' |
---|
| 14 | [:info] [pid 10806:tid 140242057148160] [client ::1:40992] GnuTLS: Could not find Signer for Peer Certificate |
---|
| 15 | [:info] [pid 10806:tid 140242057148160] [client ::1:40992] GnuTLS: Peer Certificate is invalid. |
---|
| 16 | [authz_core:debug] [pid 10806:tid 140242057148160] mod_authz_core.c(835): [client ::1:40992] AH01628: authorization result: granted (no directives) |
---|
| 17 | |
---|
| 18 | This commit adds a check for undefined verify mode in the directory |
---|
| 19 | configuration and applies the server wide configuration in that case. |
---|
| 20 | --- |
---|
| 21 | src/gnutls_hooks.c | 9 ++++++--- |
---|
| 22 | 1 file changed, 6 insertions(+), 3 deletions(-) |
---|
| 23 | |
---|
[2db6923] | 24 | diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c |
---|
| 25 | index 1c2e094..e6e7a67 100644 |
---|
| 26 | --- a/src/gnutls_hooks.c |
---|
| 27 | +++ b/src/gnutls_hooks.c |
---|
[78c6829] | 28 | @@ -871,9 +871,12 @@ int mgs_hook_authz(request_rec * r) { |
---|
| 29 | return DECLINED; |
---|
| 30 | } |
---|
| 31 | rv = mgs_cert_verify(r, ctxt); |
---|
| 32 | - if (rv != DECLINED && |
---|
| 33 | - (rv != HTTP_FORBIDDEN || |
---|
| 34 | - dc->client_verify_mode == GNUTLS_CERT_REQUIRE)) { |
---|
| 35 | + if (rv != DECLINED |
---|
| 36 | + && (rv != HTTP_FORBIDDEN |
---|
| 37 | + || dc->client_verify_mode == GNUTLS_CERT_REQUIRE |
---|
| 38 | + || (dc->client_verify_mode == -1 |
---|
| 39 | + && ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUIRE))) |
---|
| 40 | + { |
---|
| 41 | return rv; |
---|
| 42 | } |
---|
| 43 | } |
---|