[pkg-uWSGI-devel] Bug#866005: Backport TLS Client Certificate wsgi blob
Paul Tagliamonte
paultag at debian.org
Mon Jun 26 14:09:39 UTC 2017
Package: uwsgi
Severity: wishlist
thanks
Thanks for maintaining uwsgi,
Attached is a debdiff adding the ability to write the full x.509 DER
into the buffer for use by clients during runtime. This feature is
intended to allow clients to handle per-user ACL with the direct x.509
Certificate, without having to configure the webserver to extract the
right bits, which may or may not be custom extensions.
One such example would be using and extracting the UPN SAN, or some
other exotic extension at runtime.
This patch is already merged in master, and can be dropped when the next
release is tared up.
--
-------------- next part --------------
diff -Nru uwsgi-2.0.15/debian/changelog uwsgi-2.0.15/debian/changelog
--- uwsgi-2.0.15/debian/changelog 2017-06-20 06:00:19.000000000 -0400
+++ uwsgi-2.0.15/debian/changelog 2017-06-26 02:00:00.000000000 -0400
@@ -1,3 +1,14 @@
+uwsgi (2.0.15-2.1) UNRELEASED; urgency=medium
+
+ [ Paul Tagliamonte ]
+ * Backport an upstreamed patch to insert the validated x509 client
+ Certificate in the wsgi object.
+
+ [ Jonas Smedegaard ]
+ *
+
+ -- Jonas Smedegaard <dr at jones.dk> Tue, 26 Jun 2017 08:00:00 +0200
+
uwsgi (2.0.15-2) unstable; urgency=medium
* Add patches cherry-picked upstream:
diff -Nru uwsgi-2.0.15/debian/patches/1015_write_x509_der.patch uwsgi-2.0.15/debian/patches/1015_write_x509_der.patch
--- uwsgi-2.0.15/debian/patches/1015_write_x509_der.patch 1969-12-31 19:00:00.000000000 -0500
+++ uwsgi-2.0.15/debian/patches/1015_write_x509_der.patch 2017-06-26 02:00:00.000000000 -0400
@@ -0,0 +1,30 @@
+Description: Write x509 DER to the uwsgi buffer
+ This will write the full x.509 DER into the buffer for use by clients
+ during runtime. This feature is intended to allow clients to handle
+ per-user ACL with the direct x.509 Certificate, without having to
+ configure the webserver to extract the right bits, which may or may not
+ be custom extensions.
+ .
+ One such example would be using and extracting the UPN SAN, or some
+ other exotic extension.
+Author: Paul Tagliamomnte <paultag at debian.org>
+Origin: upstream, https://github.com/unbit/uwsgi/pull/1562
+Last-Update: 2017-06-26
+
+diff --git a/plugins/http/https.c b/plugins/http/https.c
+index 4bb04c90..836ce09a 100644
+--- a/plugins/http/https.c
++++ b/plugins/http/https.c
+@@ -179,6 +179,12 @@ int hr_https_add_vars(struct http_session *hr, struct corerouter_peer *peer, str
+ #endif
+ hr->ssl_client_cert = SSL_get_peer_certificate(hr->ssl);
+ if (hr->ssl_client_cert) {
++ int client_cert_len;
++ unsigned char *client_cert_der = NULL;
++ client_cert_len = i2d_X509(hr->ssl_client_cert, &client_cert_der);
++ if (client_cert_len < 0) return -1;
++ if (uwsgi_buffer_append_keyval(out, "HTTPS_CLIENT_CERTIFICATE", 24, (char*)client_cert_der, client_cert_len)) return -1;
++
+ X509_NAME *name = X509_get_subject_name(hr->ssl_client_cert);
+ if (name) {
+ hr->ssl_client_dn = X509_NAME_oneline(name, NULL, 0);
diff -Nru uwsgi-2.0.15/debian/patches/series uwsgi-2.0.15/debian/patches/series
--- uwsgi-2.0.15/debian/patches/series 2017-06-20 05:59:17.000000000 -0400
+++ uwsgi-2.0.15/debian/patches/series 2017-06-26 02:00:00.000000000 -0400
@@ -8,3 +8,4 @@
1005_avoid_auto_ptr.patch
1009_fix_java_paths.patch
1010_support_java_pass_includes.patch
+1015_write_x509_der.patch
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-uwsgi-devel/attachments/20170626/8cfeaf22/attachment.sig>
More information about the pkg-uWSGI-devel
mailing list