[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[libmicrohttpd] problem in client certificate authentication example?
|
From: |
folkert |
|
Subject: |
[libmicrohttpd] problem in client certificate authentication example? |
|
Date: |
Tue, 2 Mar 2021 15:42:08 +0100 |
|
User-agent: |
Mutt/1.10.1 (2018-07-13) |
Hi,
(I've sent an e-mail about this possible problem to the maintainer
as well)
https://www.gnu.org/software/libmicrohttpd/tutorial.html#Adding-a-layer-of-security
shows an example for performing client certificate authentication.
The function get_client_certificate invokes
gnutls_certificate_verify_peers2 to verify the validness of the
certificate.
That gnutls_certificate_verify_peers2 function returns a result code but
also a status-code. According to
https://www.gnutls.org/manual/html_node/Core-TLS-API.html the result
code only tells you whether the evaluation itself went well, not if the
certificate is valid. For that second part, one would need to evaluate
the second parameter ("unsigned int * status") which contains the status
of the certificate, see
https://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-certificate-status-t
So only if that status (client_cert_status in the example) is 0, the
certificate should be used.
In my opinion the example should be changed to verify that status as
people may use the example "as is", potentially implementing
security-problems in software using it.
Hopefully I'm wrong in my analysis!
Regards,
Folkert van Heusden
--
Always wondered what the latency of your webserver is? Or how much more
latency you get when you go through a proxy server/tor? The numbers
tell the tale and with HTTPing you know them!
http://www.vanheusden.com/httping/
- [libmicrohttpd] problem in client certificate authentication example?,
folkert <=