Bug#729480: SSL connections with client certificates no longer working

Sat, 16 Nov 2013 14:51:53 -0800 

control: tag -1 patch
control: tag -1 pending

Hi, I've uploaded an nmu fixing this issue to delayed/2.  Please see
attached patch.

Best wishes,
Mike

diff -Nru lighttpd-1.4.33/debian/changelog lighttpd-1.4.33/debian/changelog
--- lighttpd-1.4.33/debian/changelog	2013-11-13 04:15:52.000000000 +0000
+++ lighttpd-1.4.33/debian/changelog	2013-11-16 22:32:00.000000000 +0000
@@ -1,3 +1,10 @@
+lighttpd (1.4.33-1+nmu2) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix regression caused by the fix for cve-2013-4508 (closes: #729480).
+
+ -- Michael Gilbert <mgilb...@debian.org>  Sat, 16 Nov 2013 22:29:07 +0000
+
 lighttpd (1.4.33-1+nmu1) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team (closes: #729453).
diff -Nru lighttpd-1.4.33/debian/patches/cve-2013-4508.patch lighttpd-1.4.33/debian/patches/cve-2013-4508.patch
--- lighttpd-1.4.33/debian/patches/cve-2013-4508.patch	2013-11-13 02:35:53.000000000 +0000
+++ lighttpd-1.4.33/debian/patches/cve-2013-4508.patch	2013-11-16 22:28:31.000000000 +0000
@@ -1,7 +1,8 @@
 origin: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
-commit 1af871fcef97574c71870309d572d6b1026ee605
+
+commit 0fee8a0d90ffa6c5bde25d769cc578d72e4972ca
 Author: Stefan Bühler <stbueh...@web.de>
-Date:   Tue Nov 5 15:29:07 2013 +0000
+Date:   Wed Nov 13 18:29:09 2013 +0100
 
     [ssl] fix SNI handling; only use key+cert+verify-client from SNI specific config (fixes #2525, CVE-2013-4508)
     
@@ -10,14 +11,13 @@
     so enforcing verification for a subset of SNI names doesn't actually
     protect those.
     
-    From: Stefan Bühler <stbueh...@web.de>
-    
-    git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2913 152afb58-edef-0310-8abb-c4023f1b3aa9
+    Also session resumption can circumvent the verify-client enforce,
+    if it isn't enforced in the default context.
 
 Index: lighttpd-1.4.33/src/base.h
 ===================================================================
---- lighttpd-1.4.33.orig/src/base.h	2013-11-13 02:35:50.218536022 +0000
-+++ lighttpd-1.4.33/src/base.h	2013-11-13 02:35:50.214536022 +0000
+--- lighttpd-1.4.33.orig/src/base.h	2013-11-16 22:28:28.623997390 +0000
++++ lighttpd-1.4.33/src/base.h	2013-11-16 22:28:28.623997390 +0000
 @@ -320,7 +320,11 @@
  	off_t *global_bytes_per_second_cnt_ptr; /*  */
  
@@ -33,8 +33,8 @@
  
 Index: lighttpd-1.4.33/src/configfile.c
 ===================================================================
---- lighttpd-1.4.33.orig/src/configfile.c	2013-11-13 02:35:50.218536022 +0000
-+++ lighttpd-1.4.33/src/configfile.c	2013-11-13 02:35:50.214536022 +0000
+--- lighttpd-1.4.33.orig/src/configfile.c	2013-11-16 22:28:28.623997390 +0000
++++ lighttpd-1.4.33/src/configfile.c	2013-11-16 22:28:28.623997390 +0000
 @@ -339,9 +339,13 @@
  
  	PATCH(ssl_pemfile);
@@ -68,8 +68,8 @@
  			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssl.empty-fragments"))) {
 Index: lighttpd-1.4.33/src/network.c
 ===================================================================
---- lighttpd-1.4.33.orig/src/network.c	2013-11-13 02:35:50.218536022 +0000
-+++ lighttpd-1.4.33/src/network.c	2013-11-13 02:35:50.214536022 +0000
+--- lighttpd-1.4.33.orig/src/network.c	2013-11-16 22:28:28.623997390 +0000
++++ lighttpd-1.4.33/src/network.c	2013-11-16 22:28:28.623997390 +0000
 @@ -112,20 +112,46 @@
  	config_patch_connection(srv, con, COMP_HTTP_SCHEME);
  	config_patch_connection(srv, con, COMP_HTTP_HOST);
@@ -246,7 +246,7 @@
  
  		if (srv->ssl_is_init == 0) {
  			SSL_load_error_strings();
-@@ -607,6 +713,29 @@
+@@ -607,12 +713,43 @@
  			}
  		}
  
@@ -276,7 +276,21 @@
  		if (NULL == (s->ssl_ctx = SSL_CTX_new(SSLv23_server_method()))) {
  			log_error_write(srv, __FILE__, __LINE__, "ss", "SSL:",
  					ERR_error_string(ERR_get_error(), NULL));
-@@ -722,45 +851,42 @@
+ 			return -1;
+ 		}
+ 
++		/* completely useless identifier; required for client cert verification to work with sessions */
++		if (0 == SSL_CTX_set_session_id_context(s->ssl_ctx, (const unsigned char*) CONST_STR_LEN("lighttpd"))) {
++			log_error_write(srv, __FILE__, __LINE__, "ss:s", "SSL:",
++				"failed to set session context",
++				ERR_error_string(ERR_get_error(), NULL));
++			return -1;
++		}
++
+ 		if (s->ssl_empty_fragments) {
+ #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+ 			ssloptions &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+@@ -722,45 +859,42 @@
  #endif
  #endif
  
@@ -345,7 +359,7 @@
  			log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
  					ERR_error_string(ERR_get_error(), NULL), s->ssl_pemfile);
  			return -1;
-@@ -857,7 +983,6 @@
+@@ -857,7 +991,6 @@
  	for (i = 1; i < srv->config_context->used; i++) {
  		data_config *dc = (data_config *)srv->config_context->data[i];
  		specific_config *s = srv->config_storage[i];
@@ -355,8 +369,8 @@
  		if (COMP_SERVER_SOCKET != dc->comp) continue;
 Index: lighttpd-1.4.33/src/server.c
 ===================================================================
---- lighttpd-1.4.33.orig/src/server.c	2013-11-13 02:35:50.218536022 +0000
-+++ lighttpd-1.4.33/src/server.c	2013-11-13 02:35:50.214536022 +0000
+--- lighttpd-1.4.33.orig/src/server.c	2013-11-16 22:28:28.623997390 +0000
++++ lighttpd-1.4.33/src/server.c	2013-11-16 22:28:28.623997390 +0000
 @@ -314,6 +314,9 @@
  			buffer_free(s->ssl_verifyclient_username);
  #ifdef USE_OPENSSL

Reply via email to