retitle 866005 Backport TLS Client Certificate fixes thanks A few more changes I sent upstream have been accepted. I'm maintaining the delta locally, is there any chance you could backport these patches to the Debian package?
Since there was an upload since I filed the debdiff, I just attached the patch, as fit for the debian/patches series. If the team is OK with it, I can go ahead and upload this. Thanks! Paul --
Description: Multiple fixes to Client Certifciate handling The first is a fix to the verify-depth flag, which allows Client Certificates to be signed off an intermediary Certificate Authority. . Additionally, this will write x509 DER to the uwsgi buffer This will write the full x.509 DER into the buffer for use by clients during runtime. This feature is intended to allow clients to handle per-user ACL with the direct x.509 Certificate, without having to configure the webserver to extract the right bits, which may or may not be custom extensions. . One such example would be using and extracting the UPN SAN, or some other exotic extension. Author: Paul Tagliamomnte <paul...@debian.org> Origin: upstream, https://github.com/unbit/uwsgi/pull/1562, https://github.com/unbit/uwsgi/issues/1563 Last-Update: 2017-08-21 diff --git a/core/ssl.c b/core/ssl.c index 02e5449..c5e3ae7 100644 --- a/core/ssl.c +++ b/core/ssl.c @@ -326,8 +326,7 @@ SSL_CTX *uwsgi_ssl_new_server_context(char *name, char *crt, char *key, char *ci else { SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, uwsgi_ssl_verify_callback); } - // in the future we should allow to set the verify depth - SSL_CTX_set_verify_depth(ctx, 1); + SSL_CTX_set_verify_depth(ctx, uwsgi.ssl_verify_depth); if (uwsgi.ssl_tmp_dir && !uwsgi_starts_with(client_ca, strlen(client_ca), "-----BEGIN ", 11)) { if (!name) { diff --git a/core/uwsgi.c b/core/uwsgi.c index f2fdc0f..816dcbc 100644 --- a/core/uwsgi.c +++ b/core/uwsgi.c @@ -653,6 +653,7 @@ static struct uwsgi_option uwsgi_base_options[] = { {"snmp-community", required_argument, 0, "set the snmp community string", uwsgi_opt_snmp_community, NULL, 0}, #ifdef UWSGI_SSL {"ssl-verbose", no_argument, 0, "be verbose about SSL errors", uwsgi_opt_true, &uwsgi.ssl_verbose, 0}, + {"ssl-verify-depth", optional_argument, 0, "set maximum certificate verification depth", uwsgi_opt_set_int, &uwsgi.ssl_verify_depth, 1}, #ifdef UWSGI_SSL_SESSION_CACHE // force master, as ssl sessions caching initialize locking early {"ssl-sessions-use-cache", optional_argument, 0, "use uWSGI cache for ssl sessions storage", uwsgi_opt_set_str, &uwsgi.ssl_sessions_use_cache, UWSGI_OPT_MASTER}, diff --git a/plugins/http/https.c b/plugins/http/https.c index 1d04666..dc629e3 100644 --- a/plugins/http/https.c +++ b/plugins/http/https.c @@ -187,6 +187,12 @@ int hr_https_add_vars(struct http_session *hr, struct corerouter_peer *peer, str #endif hr->ssl_client_cert = SSL_get_peer_certificate(hr->ssl); if (hr->ssl_client_cert) { + int client_cert_len; + unsigned char *client_cert_der = NULL; + client_cert_len = i2d_X509(hr->ssl_client_cert, &client_cert_der); + if (client_cert_len < 0) return -1; + if (uwsgi_buffer_append_keyval(out, "HTTPS_CLIENT_CERTIFICATE", 24, (char*)client_cert_der, client_cert_len)) return -1; + X509_NAME *name = X509_get_subject_name(hr->ssl_client_cert); if (name) { hr->ssl_client_dn = X509_NAME_oneline(name, NULL, 0); diff --git a/uwsgi.h b/uwsgi.h index 069e240..c706e2f 100644 --- a/uwsgi.h +++ b/uwsgi.h @@ -2791,6 +2791,10 @@ struct uwsgi_server { // uWSGI 2.1 backport int new_argc; char **new_argv; + +#ifdef UWSGI_SSL + int ssl_verify_depth; +#endif }; struct uwsgi_rpc { -- 2.14.1
