subject:"Bug#729480\: SSL connections with client certificates no longer working"

Bug#729480: SSL connections with client certificates no longer working

2013-11-16 Thread Michael Gilbert

control: tag -1 patch
control: tag -1 pending

Hi, I've uploaded an nmu fixing this issue to delayed/2.  Please see
attached patch.

Best wishes,
Mike
diff -Nru lighttpd-1.4.33/debian/changelog lighttpd-1.4.33/debian/changelog
--- lighttpd-1.4.33/debian/changelog	2013-11-13 04:15:52.0 +
+++ lighttpd-1.4.33/debian/changelog	2013-11-16 22:32:00.0 +
@@ -1,3 +1,10 @@
+lighttpd (1.4.33-1+nmu2) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix regression caused by the fix for cve-2013-4508 (closes: #729480).
+
+ -- Michael Gilbert mgilb...@debian.org  Sat, 16 Nov 2013 22:29:07 +
+
 lighttpd (1.4.33-1+nmu1) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team (closes: #729453).
diff -Nru lighttpd-1.4.33/debian/patches/cve-2013-4508.patch lighttpd-1.4.33/debian/patches/cve-2013-4508.patch
--- lighttpd-1.4.33/debian/patches/cve-2013-4508.patch	2013-11-13 02:35:53.0 +
+++ lighttpd-1.4.33/debian/patches/cve-2013-4508.patch	2013-11-16 22:28:31.0 +
@@ -1,7 +1,8 @@
 origin: http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
-commit 1af871fcef97574c71870309d572d6b1026ee605
+
+commit 0fee8a0d90ffa6c5bde25d769cc578d72e4972ca
 Author: Stefan Bühler stbueh...@web.de
-Date:   Tue Nov 5 15:29:07 2013 +
+Date:   Wed Nov 13 18:29:09 2013 +0100
 
 [ssl] fix SNI handling; only use key+cert+verify-client from SNI specific config (fixes #2525, CVE-2013-4508)
 
@@ -10,14 +11,13 @@
 so enforcing verification for a subset of SNI names doesn't actually
 protect those.
 
-From: Stefan Bühler stbueh...@web.de
-
-git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2913 152afb58-edef-0310-8abb-c4023f1b3aa9
+Also session resumption can circumvent the verify-client enforce,
+if it isn't enforced in the default context.
 
 Index: lighttpd-1.4.33/src/base.h
 ===
 lighttpd-1.4.33.orig/src/base.h	2013-11-13 02:35:50.218536022 +
-+++ lighttpd-1.4.33/src/base.h	2013-11-13 02:35:50.214536022 +
+--- lighttpd-1.4.33.orig/src/base.h	2013-11-16 22:28:28.623997390 +
 lighttpd-1.4.33/src/base.h	2013-11-16 22:28:28.623997390 +
 @@ -320,7 +320,11 @@
  	off_t *global_bytes_per_second_cnt_ptr; /*  */
  
@@ -33,8 +33,8 @@
  
 Index: lighttpd-1.4.33/src/configfile.c
 ===
 lighttpd-1.4.33.orig/src/configfile.c	2013-11-13 02:35:50.218536022 +
-+++ lighttpd-1.4.33/src/configfile.c	2013-11-13 02:35:50.214536022 +
+--- lighttpd-1.4.33.orig/src/configfile.c	2013-11-16 22:28:28.623997390 +
 lighttpd-1.4.33/src/configfile.c	2013-11-16 22:28:28.623997390 +
 @@ -339,9 +339,13 @@
  
  	PATCH(ssl_pemfile);
@@ -68,8 +68,8 @@
  			} else if (buffer_is_equal_string(du-key, CONST_STR_LEN(ssl.empty-fragments))) {
 Index: lighttpd-1.4.33/src/network.c
 ===
 lighttpd-1.4.33.orig/src/network.c	2013-11-13 02:35:50.218536022 +
-+++ lighttpd-1.4.33/src/network.c	2013-11-13 02:35:50.214536022 +
+--- lighttpd-1.4.33.orig/src/network.c	2013-11-16 22:28:28.623997390 +
 lighttpd-1.4.33/src/network.c	2013-11-16 22:28:28.623997390 +
 @@ -112,20 +112,46 @@
  	config_patch_connection(srv, con, COMP_HTTP_SCHEME);
  	config_patch_connection(srv, con, COMP_HTTP_HOST);
@@ -246,7 +246,7 @@
  
  		if (srv-ssl_is_init == 0) {
  			SSL_load_error_strings();
-@@ -607,6 +713,29 @@
+@@ -607,12 +713,43 @@
  			}
  		}
  
@@ -276,7 +276,21 @@
  		if (NULL == (s-ssl_ctx = SSL_CTX_new(SSLv23_server_method( {
  			log_error_write(srv, __FILE__, __LINE__, ss, SSL:,
  	ERR_error_string(ERR_get_error(), NULL));
-@@ -722,45 +851,42 @@
+ 			return -1;
+ 		}
+ 
++		/* completely useless identifier; required for client cert verification to work with sessions */
++		if (0 == SSL_CTX_set_session_id_context(s-ssl_ctx, (const unsigned char*) CONST_STR_LEN(lighttpd))) {
++			log_error_write(srv, __FILE__, __LINE__, ss:s, SSL:,
++failed to set session context,
++ERR_error_string(ERR_get_error(), NULL));
++			return -1;
++		}
++
+ 		if (s-ssl_empty_fragments) {
+ #ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
+ 			ssloptions = ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
+@@ -722,45 +859,42 @@
  #endif
  #endif
  
@@ -345,7 +359,7 @@
  			log_error_write(srv, __FILE__, __LINE__, ssb, SSL:,
  	ERR_error_string(ERR_get_error(), NULL), s-ssl_pemfile);
  			return -1;
-@@ -857,7 +983,6 @@
+@@ -857,7 +991,6 @@
  	for (i = 1; i  srv-config_context-used; i++) {
  		data_config *dc = (data_config *)srv-config_context-data[i];
  		specific_config *s = srv-config_storage[i];
@@ -355,8 +369,8 @@
  		if (COMP_SERVER_SOCKET != dc-comp) continue;
 Index: lighttpd-1.4.33/src/server.c
 ===

Bug#729480: SSL connections with client certificates no longer working

2013-11-15 Thread gator_ml

On 2013-11-13 18:39, Stefan Bühler wrote:
 I updated our advisory at
[...]
 with the diff from revision 2925:
   
 http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2925/diff/

Thanks a lot for the quick reaction!
I can confirm that with your patch added to the debian package
version 1.4.31-4+deb7u1 my problem is solved!

Regards,
  Peter


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#729480: SSL connections with client certificates no longer working

2013-11-13 Thread gator_ml

Package: lighttpd
Version: 1.4.31-4+deb7u1
Severity: important

I am running a webserver that only offers https and normally requires
client certificates. When I install the security upgrade
1.4.31-4+deb7u1 and restart lighttpd, with some delay (when I keep
hitting reload in a client, it works 5-10 times) no more connections
with client certificates succeed.

Firefox reports connection was interrupted, chrome
ERR_SSL_PROTOCOL_ERROR, lighttpd's error log fills with messages saying:
 (connections.c.305) SSL: 1 error:140D9115:SSL 
 routines:SSL_GET_PREV_SESSION:session id context uninitialized

regualar https-Connections (w/o client certificate) continue to
work. After restarting lighttpd, everything works again for a little
while, then trouble starts again.

With lighttpd 1.4.31-4 everything works fine; this problem definitely
has been introduced with the security patches for 1.4.31-4+deb7u1.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#729480: SSL connections with client certificates no longer working

2013-11-13 Thread Stefan Bühler

Hi,

On Wed, 13 Nov 2013 13:51:30 +0100
gator...@yahoo.de wrote:

 Package: lighttpd
 Version: 1.4.31-4+deb7u1
 Severity: important
 
 I am running a webserver that only offers https and normally requires
 client certificates. When I install the security upgrade
 1.4.31-4+deb7u1 and restart lighttpd, with some delay (when I keep
 hitting reload in a client, it works 5-10 times) no more connections
 with client certificates succeed.
 
 Firefox reports connection was interrupted, chrome
 ERR_SSL_PROTOCOL_ERROR, lighttpd's error log fills with messages
 saying: (connections.c.305) SSL: 1 error:140D9115:SSL 
  routines:SSL_GET_PREV_SESSION:session id context uninitialized
 
 regualar https-Connections (w/o client certificate) continue to
 work. After restarting lighttpd, everything works again for a little
 while, then trouble starts again.
 
 With lighttpd 1.4.31-4 everything works fine; this problem definitely
 has been introduced with the security patches for 1.4.31-4+deb7u1.
 

Damn.

Previously we called
  SSL_CTX_set_session_id_context
and set some internal as pointer, but only if the context was for
enabled verify-peer.

As we now enable verify-peer for a connection on the fly, this part
was removed from the code.

After all, why would it be necessary to set a context only if we had to
verify peers? (Also setting an internal pointer felt wrong)

Turns out, that is exactly what openssl wants, without any good reason:
(quoting ssl_sess.c:~564)
 /* We can't be sure if this session is being used out of
  * context, which is especially important for SSL_VERIFY_PEER.
  * The application should have used SSL[_CTX]_set_session_id_context.
  *
  * For this error case, we generate an error instead of treating
  * the event like a cache miss (otherwise it would be easy for
  * applications to effectively disable the session cache by
  * accident without anyone noticing).
  */

I don't think I'll ever use openssl in any software again...

As I'm not sure yet what the context should actually be (setting an 
internal pointer is definitely wrong, setting a string like lighttpd
might work), I don't have a patch ready yet.


Thanks for reporting!

regards,
Stefan (upstream maintainer)


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#729480: SSL connections with client certificates no longer working

2013-11-13 Thread Stefan Bühler

Hi,

I updated our advisory at
  http://download.lighttpd.net/lighttpd/security/lighttpd_sa_2013_01.txt
and the patch at
  
http://download.lighttpd.net/lighttpd/security/lighttpd-1.4.33_fix_ssl_sni.patch
with the diff from revision 2925:
  http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2925/diff/


Setting id_context in the SNI callback doesn't seem to have any useful
effect, which makes it really an absolutely useless thing.

Sorry for the trouble.

regards,
Stefan


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#729480: SSL connections with client certificates no longer working

Bug#729480: SSL connections with client certificates no longer working

Bug#729480: SSL connections with client certificates no longer working

Bug#729480: SSL connections with client certificates no longer working

Bug#729480: SSL connections with client certificates no longer working

5 matches

Site Navigation

Mail list logo

Footer information