source: mod_gnutls/debian/patches/fix-tls-client-auth.patch @ 2db6923

debian/masterdebian/stretch-backportsjessie-backports
Last change on this file since 2db6923 was 2db6923, checked in by Daniel Kahn Gillmor <dkg@…>, 7 years ago

refresh patches with gbp pq

  • Property mode set to 100644
File size: 2.0 KB
RevLine 
[78c6829]1From: Thomas Klute <thomas2.klute@uni-dortmund.de>
2Date: Thu, 5 Feb 2015 14:48:45 +0100
[2db6923]3Subject: TLS Client auth: Check server verify mode if unset for dir
[78c6829]4
5The authentication hook (mgs_hook_authz) failed to consider the server's
6client verify mode, even if the verify mode was unset in the directory
7configuration. As a result, invalid certificates were ignored and
8clients could connect and receive data as long as they presented any
9certificate whatsoever. Logs showed that authorization was granted
10despite the certificate being invalid (timestamps removed for
11readability):
12
13[:debug] [pid 10806:tid 140242057148160] gnutls_hooks.c(1198): [client ::1:40992] GnuTLS: Verifying list of 1 certificate(s) via method 'cartel'
14[:info] [pid 10806:tid 140242057148160] [client ::1:40992] GnuTLS: Could not find Signer for Peer Certificate
15[:info] [pid 10806:tid 140242057148160] [client ::1:40992] GnuTLS: Peer Certificate is invalid.
16[authz_core:debug] [pid 10806:tid 140242057148160] mod_authz_core.c(835): [client ::1:40992] AH01628: authorization result: granted (no directives)
17
18This commit adds a check for undefined verify mode in the directory
19configuration and applies the server wide configuration in that case.
20---
21 src/gnutls_hooks.c | 9 ++++++---
22 1 file changed, 6 insertions(+), 3 deletions(-)
23
[2db6923]24diff --git a/src/gnutls_hooks.c b/src/gnutls_hooks.c
25index 1c2e094..e6e7a67 100644
26--- a/src/gnutls_hooks.c
27+++ b/src/gnutls_hooks.c
[78c6829]28@@ -871,9 +871,12 @@ int mgs_hook_authz(request_rec * r) {
29             return DECLINED;
30         }
31         rv = mgs_cert_verify(r, ctxt);
32-        if (rv != DECLINED &&
33-                (rv != HTTP_FORBIDDEN ||
34-                dc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
35+        if (rv != DECLINED
36+            && (rv != HTTP_FORBIDDEN
37+                || dc->client_verify_mode == GNUTLS_CERT_REQUIRE
38+                || (dc->client_verify_mode == -1
39+                    && ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUIRE)))
40+        {
41             return rv;
42         }
43     }
Note: See TracBrowser for help on using the repository browser.