Changeset 5a8a32b in mod_gnutls

Timestamp:

Feb 5, 2015, 8:48:45 AM (8 years ago)

Author:

Thomas Klute <thomas2.klute@…>

Branches:

asyncio, debian/master, debian/stretch-backports, jessie-backports, main, master, proxy-ticket, upstream

Children:

8731286

Parents:

c4ba9722

Message:

TLS Client auth: Check server verify mode if unset for dir

The authentication hook (mgs_hook_authz) failed to consider the server's
client verify mode, even if the verify mode was unset in the directory
configuration. As a result, invalid certificates were ignored and
clients could connect and receive data as long as they presented any
certificate whatsoever. Logs showed that authorization was granted
despite the certificate being invalid (timestamps removed for
readability):

[:debug] [pid 10806:tid 140242057148160] gnutls_hooks.c(1198): [client ::1:40992] GnuTLS: Verifying list of 1 certificate(s) via method 'cartel'
[:info] [pid 10806:tid 140242057148160] [client ::1:40992] GnuTLS: Could not find Signer for Peer Certificate
[:info] [pid 10806:tid 140242057148160] [client ::1:40992] GnuTLS: Peer Certificate is invalid.
[authz_core:debug] [pid 10806:tid 140242057148160] mod_authz_core.c(835): [client ::1:40992] AH01628: authorization result: granted (no directives)

This commit adds a check for undefined verify mode in the directory
configuration and applies the server wide configuration in that case.

File:

• src/gnutls_hooks.c (modified) (1 diff)

src/gnutls_hooks.c

@@ -899 +899 @@
         }
         rv = mgs_cert_verify(r, ctxt);
-        if (rv != DECLINED &&
-                (rv != HTTP_FORBIDDEN ||
-                dc->client_verify_mode == GNUTLS_CERT_REQUIRE)) {
+        if (rv != DECLINED
+            && (rv != HTTP_FORBIDDEN
+                || dc->client_verify_mode == GNUTLS_CERT_REQUIRE
+                || (dc->client_verify_mode == -1
+                    && ctxt->sc->client_verify_mode == GNUTLS_CERT_REQUIRE)))
+        {
             return rv;
         }