Custom Query (16 matches)

Filters
 
Or
 
  
 
Columns

Show under each result:


Results (7 - 9 of 16)

1 2 3 4 5 6
Ticket Resolution Summary Owner Reporter
#24 fixed mod-proxy test in gnutls_hooks.c inadequate; breaks localhost encryption https://id.mayfirst.org/dkg peter gamache
Description

The following block of code in gnutls_hooks.c doesn't actually test for use by mod_proxy, but takes a shortcut (comparing IPs) that breaks local connectivity for processes running on the same host:

if (c->remote_addr->hostname || apr_strnatcmp(c->remote_ip,c->local_ip) == 0) {
/* Connection initiated by Apache (mod_proxy) => ignore */
         return OK;
}

These work fine when coming from other hosts but break if used on the same machine that's running Apache+gnutls:

# gnutls-cli-debug localhost
Resolving 'localhost'...
Connecting to '127.0.0.1:443'...
Checking for SSL 3.0 support... no
Checking whether %COMPAT is required... yes
Checking for TLS 1.0 support... no
Checking for TLS 1.1 support... no
Checking fallback from TLS 1.1 to... failed
Checking for TLS 1.2 support... no
Checking whether we need to disable TLS 1.0... yes

Server does not support any of SSL 3.0, TLS 1.0 and TLS 1.1

# openssl s_client -connect localhost:443
CONNECTED(00000003)
140710953731744:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:787:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 305 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Guess what works though? A plaintext request on port 443:

# telnet localhost 443
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
GET /
<html><body text="#ffffff" bgcolor="#000000"><p><tt>It is pitch black.  You are likely to be eaten by a grue.<br />></tt></p></body></html>
Connection closed by foreign host.
#23 fixed enable pkcs11 for server secret key material https://id.mayfirst.org/dkg https://id.mayfirst.org/dkg
Description

Nikos writes on-list with a good suggestion:

I was thinking ways of how a memory leakage in mod_gnutls could have prevented revealing secrets such as the server's private key, and I think that this could be "easily" doable if mod_gnutls would support pkcs11 keys (from a quick glimpse I think it doesn't yet). If it would support it, then one could use a software security module such as lsm-pkcs11 and separate the private key operations from the server process. I put "easily" on quotes because unfortunately lsm-pkcs11 seem to be a dead project and more modern modules like softhsm don't use any isolation between the key operations and the calling process.

Nevertheless, I think it would be a good feature to have.

I also think this would be a useful feature.

#22 fixed test suite not VPATH-safe https://id.mayfirst.org/dkg myopenidmail
Description

=========================================

mod_gnutls 0.5.10: ./test-suite.log

=========================================

# TOTAL: 1 # PASS: 0 # SKIP: 0 # XFAIL: 0 # FAIL: 1 # XPASS: 0 # ERROR: 0

.. contents:: :depth: 2

FAIL: run_tests.sh ==================

make: Entering an unknown directory make: * t: No such file or directory. Stop. make: Leaving an unknown directory

1 2 3 4 5 6
Note: See TracQuery for help on using queries.