[mod_gnutls-devel] [SECURITY PATCH] TLS client auth ignores verification result

Thomas Klute thomas2.klute at uni-dortmund.de
Mon Feb 16 17:09:37 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi everyone,

I've discovered a security problem with TLS client auth in mod_gnutls:
The result of peer verification was ignored in the authentication hook
if no directory specific policy was set. I first tried to contact the
maintainer privately to get an updated version published before
disclosing the issue, but today I noticed that Marc Ende had already
reported what appears to be the same issue on this list back in May
2014 [1], before I became interested in mod_gnutls.

As such, the issue is already public, and there's no reason to delay
publishing the patch. I have pushed my client-verify-fix branch
containing the patch to Github [2]. The critical commit is
5a8a32bbfb8a83fe6358c5c31c443325a7775fc2 [3], and I have attached the
patch to this mail, too.

The client-verify-fix branch also contains my previous bug fixes for
reverse proxy operation and an improved test suite, which includes a
new test case "18_client_verification_wrong_cert" that checks if a
client with an invalid certificate correctly receives a "403
Forbidden" response when client auth is required. If you want to apply
only the client auth patch, I suggest to cherry pick the
aforementioned commit.

Regards,
Thomas Klute

[1] http://lists.gnupg.org/pipermail/mod_gnutls-devel/2014-May/000078.html
[2] https://github.com/airtower-luna/mod_gnutls/tree/client-verify-fix
[3]
https://github.com/airtower-luna/mod_gnutls/commit/5a8a32bbfb8a83fe6358c5c31c443325a7775fc2
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU4hZBAAoJEGFFnFKHdoxTDgMP/2OaxqDLvCQKD3rP7Bkb8SQg
0kuB7EN00J8mZDW0+3Wpcq6aen5pk+uJdPuMIehVjDJbgB4so9uMLlLmPUW9SLEs
fKOoaddlNWq7GSalthDg2kuHbI/9K0GaglWNs40E2CzjSl7TuwuFklDeCbhZ0KFF
VXwoGnGuN1SFX3raVrExq6PSXrqUHoBDjCbGMBI1X0QC3K8EKHqeB3bWuwpepR2k
ZKX9yxt7Tub2htub0Z5hJlE7wS0X0sGQiIKFeCvh0n4qQFo0GPr/+cxElcaXupRw
NTFLVuTFCQiYndzy++DvZjxD2vRClgySEXOC32ixktEU3iUpCu5ECo/MQ/6SYuQf
ARRs823tROgPDDbprtI/RdgUDTvGRP+Kb14PQNid/uUqmWy/ej8x/YjmcEfMDrF3
UEXOl/9BfMXra/S9g0tKczC6/tsfo+qhIThlI+Yl/RjeMFnTu6q6SFdZ5oEoObVJ
vDF/c4p4E8tKRVk4qbrV+BAHtmOTh6YIKGB3fKrS9NdrCZshJGRxkxT8K0NkYLKj
xixX+LyvoFZ3rTW7VJLSwUL96TtdeZgr5SowAzY5QiziW9QWwyGC/IF6x81d//6s
rj4ztzHPWCJsn6a918RmzZTsgbZ2hxrrAtGTuvZcqCA86SkbEVLzj1hxOWX5ZSFS
er67HdzZh/0AoCjtmg/o
=47lL
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-TLS-Client-auth-Check-server-verify-mode-if-unset-fo.patch
Type: text/x-patch
Size: 2123 bytes
Desc: not available
URL: </pipermail/attachments/20150216/db0052d1/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-TLS-Client-auth-Check-server-verify-mode-if-unset-fo.patch.sig
Type: application/pgp-signature
Size: 543 bytes
Desc: not available
URL: </pipermail/attachments/20150216/db0052d1/attachment.sig>


More information about the mod_gnutls-devel mailing list