[mod_gnutls-devel] [PATCH 1/2] GnuTLSExportCertificates should control maximum size of exported certs

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sun Feb 23 19:15:22 CET 2014 

The server administrator should be able to control the maximum size of
the exported certificate environment variables.  This will be done via
the existing GnuTLSExportCertificates environment variable.

This patch adds documentation of intended new feature and a test for
support.  The test currently fails because the feature is not
implemented.
---
 docs/mod_gnutls_manual.mdwn                    | 31 +++++++++++++++++++++-----
 t/tests/17_cgi_vars_large_cert/apache.conf     | 22 ++++++++++++++++++
 t/tests/17_cgi_vars_large_cert/gnutls-cli.args |  4 ++++
 t/tests/17_cgi_vars_large_cert/input           |  3 +++
 t/tests/17_cgi_vars_large_cert/output          | 14 ++++++++++++
 5 files changed, 68 insertions(+), 6 deletions(-)
 create mode 100644 t/tests/17_cgi_vars_large_cert/apache.conf
 create mode 100644 t/tests/17_cgi_vars_large_cert/gnutls-cli.args
 create mode 100644 t/tests/17_cgi_vars_large_cert/input
 create mode 100644 t/tests/17_cgi_vars_large_cert/output

diff --git a/docs/mod_gnutls_manual.mdwn b/docs/mod_gnutls_manual.mdwn
index eecf5b1..4c333df 100644
--- a/docs/mod_gnutls_manual.mdwn
+++ b/docs/mod_gnutls_manual.mdwn
@@ -372,14 +372,26 @@ achieve maximum compatibility (some broken mobile clients need this).
 
 Export the PEM encoded certificates to CGIs
 
-    GnuTLSExportCertificates [on|off]
+    GnuTLSExportCertificates [off|on|SIZE]
 
 Default: `off`\
 Context: server config, virtual host
 
-This directive enables exporting the full certificates of the server and
-the client to CGI scripts. The exported certificates will be PEM-encoded
-(if X.509) or ASCII-armored (if OpenPGP).
+This directive configures exporting the full certificates of the
+server and the client to CGI scripts via the `SSL_SERVER_CERT` and
+`SSL_CLIENT_CERT` environment variables. The exported certificates
+will be PEM-encoded (if X.509) or ASCII-armored (if OpenPGP) up to the
+size given.  The type of the certificate will be exported in
+`SSL_SERVER_CERT_TYPE` and `SSL_CLIENT_CERT_TYPE`.
+
+SIZE should be an integer number of bytes, or may be written with a
+trailing `K` to indicate kibibytes.  `off` means the same thing as
+`0`, in which case the certificates will not be exported to the
+environment.  `on` is an alias for `16K`.  If a non-zero size is
+specified for this directive, but a certificate is too large to fit in
+the buffer, then the corresponding environment variable will contain
+the fixed string `GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED`.
+
 With GnuTLSExportCertificates enabled, `mod_gnutls` exports the same
 environment variables to the CGI process as `mod_ssl`.
 
@@ -670,16 +682,23 @@ The algorithm used for the signature in server's certificate.
 
 The public key algorithm in server's certificate.
 
-`SSL_SERVER1_CERT`
+`SSL_SERVER_CERT`
 ------------------
 
-The PEM-encoded server certificate.
+The PEM-encoded (X.509) or ASCII-armored (OpenPGP) server certificate
+(see the `GnuTLSExportCertificates` directive).
 
 `SSL_SERVER_CERT_TYPE`
 ----------------------
 
 The certificate type can be `X.509` or `OPENPGP`.
 
+`SSL_CLIENT_CERT`
+------------------
+
+The PEM-encoded (X.509) or ASCII-armored (OpenPGP) client certificate
+(see the `GnuTLSExportCertificates` directive).
+
 `SSL_CLIENT_CERT_TYPE`
 ----------------------
 
diff --git a/t/tests/17_cgi_vars_large_cert/apache.conf b/t/tests/17_cgi_vars_large_cert/apache.conf
new file mode 100644
index 0000000..d4cfd2b
--- /dev/null
+++ b/t/tests/17_cgi_vars_large_cert/apache.conf
@@ -0,0 +1,22 @@
+Include ${PWD}/../../base_apache.conf
+
+LoadModule cgi_module /usr/lib/apache2/modules/mod_cgi.so
+
+AddHandler cgi-script .cgi
+
+GnuTLSCache dbm cache/gnutls_cache
+
+<Directory ${PWD}/../../data>
+ Options +ExecCGI
+</Directory>
+
+<VirtualHost ${TEST_IP}:${TEST_PORT}>
+ ServerName ${TEST_HOST}
+ GnuTLSEnable On
+ GnuTLSCertificateFile server/x509.pem
+ GnuTLSKeyFile server/secret.key
+ GnuTLSPriorities NORMAL
+ GnuTLSClientCAFile authority/x509.pem
+ GnuTLSClientVerify request
+ GnuTLSExportCertificates 512
+</VirtualHost>
diff --git a/t/tests/17_cgi_vars_large_cert/gnutls-cli.args b/t/tests/17_cgi_vars_large_cert/gnutls-cli.args
new file mode 100644
index 0000000..ce71607
--- /dev/null
+++ b/t/tests/17_cgi_vars_large_cert/gnutls-cli.args
@@ -0,0 +1,4 @@
+--x509certfile=../../client/x509.pem
+--x509keyfile=../../client/secret.key
+--x509cafile=../../authority/x509.pem
+--priority=NORMAL:-KX-ALL:+DHE-RSA
diff --git a/t/tests/17_cgi_vars_large_cert/input b/t/tests/17_cgi_vars_large_cert/input
new file mode 100644
index 0000000..623c4ef
--- /dev/null
+++ b/t/tests/17_cgi_vars_large_cert/input
@@ -0,0 +1,3 @@
+GET /dump.cgi HTTP/1.1
+Host: __HOSTNAME__
+
diff --git a/t/tests/17_cgi_vars_large_cert/output b/t/tests/17_cgi_vars_large_cert/output
new file mode 100644
index 0000000..e4cf184
--- /dev/null
+++ b/t/tests/17_cgi_vars_large_cert/output
@@ -0,0 +1,14 @@
+----Certificate:----
+GNUTLS_CERTIFICATE_SIZE_LIMIT_EXCEEDED
+
+----Verification Status:----
+SUCCESS
+
+----SubjectAltName:----
+RFC822NAME:test0 at modgnutls.test
+
+DH prime bits: 2048
+
+0
+
+- Peer has closed the GnuTLS connection
-- 
1.8.5.3

More information about the mod_gnutls-devel mailing list