Package: uwsgi Severity: wishlist thanks Thanks for maintaining uwsgi,
Attached is a debdiff adding the ability to write the full x.509 DER into the buffer for use by clients during runtime. This feature is intended to allow clients to handle per-user ACL with the direct x.509 Certificate, without having to configure the webserver to extract the right bits, which may or may not be custom extensions. One such example would be using and extracting the UPN SAN, or some other exotic extension at runtime. This patch is already merged in master, and can be dropped when the next release is tared up. --
diff -Nru uwsgi-2.0.15/debian/changelog uwsgi-2.0.15/debian/changelog --- uwsgi-2.0.15/debian/changelog 2017-06-20 06:00:19.000000000 -0400 +++ uwsgi-2.0.15/debian/changelog 2017-06-26 02:00:00.000000000 -0400 @@ -1,3 +1,14 @@ +uwsgi (2.0.15-2.1) UNRELEASED; urgency=medium + + [ Paul Tagliamonte ] + * Backport an upstreamed patch to insert the validated x509 client + Certificate in the wsgi object. + + [ Jonas Smedegaard ] + * + + -- Jonas Smedegaard <d...@jones.dk> Tue, 26 Jun 2017 08:00:00 +0200 + uwsgi (2.0.15-2) unstable; urgency=medium * Add patches cherry-picked upstream: diff -Nru uwsgi-2.0.15/debian/patches/1015_write_x509_der.patch uwsgi-2.0.15/debian/patches/1015_write_x509_der.patch --- uwsgi-2.0.15/debian/patches/1015_write_x509_der.patch 1969-12-31 19:00:00.000000000 -0500 +++ uwsgi-2.0.15/debian/patches/1015_write_x509_der.patch 2017-06-26 02:00:00.000000000 -0400 @@ -0,0 +1,30 @@ +Description: Write x509 DER to the uwsgi buffer + This will write the full x.509 DER into the buffer for use by clients + during runtime. This feature is intended to allow clients to handle + per-user ACL with the direct x.509 Certificate, without having to + configure the webserver to extract the right bits, which may or may not + be custom extensions. + . + One such example would be using and extracting the UPN SAN, or some + other exotic extension. +Author: Paul Tagliamomnte <paul...@debian.org> +Origin: upstream, https://github.com/unbit/uwsgi/pull/1562 +Last-Update: 2017-06-26 + +diff --git a/plugins/http/https.c b/plugins/http/https.c +index 4bb04c90..836ce09a 100644 +--- a/plugins/http/https.c ++++ b/plugins/http/https.c +@@ -179,6 +179,12 @@ int hr_https_add_vars(struct http_session *hr, struct corerouter_peer *peer, str + #endif + hr->ssl_client_cert = SSL_get_peer_certificate(hr->ssl); + if (hr->ssl_client_cert) { ++ int client_cert_len; ++ unsigned char *client_cert_der = NULL; ++ client_cert_len = i2d_X509(hr->ssl_client_cert, &client_cert_der); ++ if (client_cert_len < 0) return -1; ++ if (uwsgi_buffer_append_keyval(out, "HTTPS_CLIENT_CERTIFICATE", 24, (char*)client_cert_der, client_cert_len)) return -1; ++ + X509_NAME *name = X509_get_subject_name(hr->ssl_client_cert); + if (name) { + hr->ssl_client_dn = X509_NAME_oneline(name, NULL, 0); diff -Nru uwsgi-2.0.15/debian/patches/series uwsgi-2.0.15/debian/patches/series --- uwsgi-2.0.15/debian/patches/series 2017-06-20 05:59:17.000000000 -0400 +++ uwsgi-2.0.15/debian/patches/series 2017-06-26 02:00:00.000000000 -0400 @@ -8,3 +8,4 @@ 1005_avoid_auto_ptr.patch 1009_fix_java_paths.patch 1010_support_java_pass_includes.patch +1015_write_x509_der.patch
signature.asc
Description: PGP signature
