Changeset 999cdec in mod_gnutls

Timestamp:

Feb 23, 2014, 1:00:08 PM (9 years ago)

Author:

Daniel Kahn Gillmor <dkg@…>

Branches:

asyncio, debian/master, debian/stretch-backports, jessie-backports, main, master, proxy-ticket, upstream

Children:

2aaf4f5

Parents:

04f48a2

git-author:

Daniel Kahn Gillmor <dkg@…> (02/23/14 12:59:05)

git-committer:

Daniel Kahn Gillmor <dkg@…> (02/23/14 13:00:08)

Message:

GnuTLSExportCertificates should control maximum size of exported certs

The server administrator should be able to control the maximum size of
the exported certificate environment variables. This will be done via
the existing GnuTLSExportCertificates environment variable.

This patch adds documentation of intended new feature and a test for
support. The test currently fails because the feature is not
implemented.

Files:

• docs/mod_gnutls_manual.mdwn (modified) (3 diffs)
• t/tests/17_cgi_vars_large_cert/apache.conf (added)
• t/tests/17_cgi_vars_large_cert/gnutls-cli.args (added)
• t/tests/17_cgi_vars_large_cert/input (added)
• t/tests/17_cgi_vars_large_cert/output (added)

docs/mod_gnutls_manual.mdwn

@@ -373 +373 @@
 Export the PEM encoded certificates to CGIs
 
-    GnuTLSExportCertificates [on|off]
+    GnuTLSExportCertificates [off|on|SIZE]
 
 Default: `off`\
 Context: server config, virtual host
 
-This directive enables exporting the full certificates of the server and
-the client to CGI scripts. The exported certificates will be PEM-encoded
-(if X.509) or ASCII-armored (if OpenPGP).
+This directive configures exporting the full certificates of the
+server and the client to CGI scripts via the `SSL_SERVER_CERT` and
+`SSL_CLIENT_CERT` environment variables. The exported certificates
+will be PEM-encoded (if X.509) or ASCII-armored (if OpenPGP) up to the
+size given.  The type of the certificate will be exported in
+`SSL_SERVER_CERT_TYPE` and `SSL_CLIENT_CERT_TYPE`.
+
+SIZE should be an integer number of bytes, or may be written with a
+trailing `K` to indicate kibibytes.  `off` means the same thing as
+`0`, in which case the certificates will not be exported to the
+environment.  `on` is an alias for `16K`.  If a non-zero size is
+specified for this directive, but a certificate is too large to fit in
+the buffer, then the corresponding environment variable will contain
+the fixed string `GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED`.
+
 With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same
 environment variables to the CGI process as `mod_ssl`.
@@ -671 +683 @@
 The public key algorithm in server's certificate.
 
-`SSL_SERVER1_CERT`
+`SSL_SERVER_CERT`
 ------------------
 
-The PEM-encoded server certificate.
+The PEM-encoded (X.509) or ASCII-armored (OpenPGP) server certificate
+(see the `GnuTLSExportCertificates` directive).
 
 `SSL_SERVER_CERT_TYPE`
@@ -681 +694 @@
 The certificate type can be `X.509` or `OPENPGP`.
 
+`SSL_CLIENT_CERT`
+------------------
+
+The PEM-encoded (X.509) or ASCII-armored (OpenPGP) client certificate
+(see the `GnuTLSExportCertificates` directive).
+
 `SSL_CLIENT_CERT_TYPE`
 ----------------------