From ramkumar.chinchani at gmail.com Sat Feb 7 21:33:29 2015 From: ramkumar.chinchani at gmail.com (Ramkumar Chinchani) Date: Sat, 7 Feb 2015 20:33:29 +0000 Subject: [mod_gnutls-devel] Patches Message-ID: Hi Daniel, IMO, there are some good patches being contributed on the mailing list. While I understand that the project needs to be conservative in what gets accepted so as to not break things, I fear some good work is getting lost. Perhaps, these can go into an "experimental" branch/tag so that they are available at a central place. Thoughts/comments/guidelines? -------------- next part -------------- An HTML attachment was scrubbed... URL: From thomas2.klute at uni-dortmund.de Sun Feb 15 16:30:39 2015 From: thomas2.klute at uni-dortmund.de (Thomas Klute) Date: Sun, 15 Feb 2015 16:30:39 +0100 Subject: [mod_gnutls-devel] Patches In-Reply-To: References: Message-ID: <54E0BB9F.7080703@uni-dortmund.de> Hi all, I've added a wiki page to my mod_gnutls repository on Github. That's no replacement for upstream merges, but it should hopefully make it easier for anyone who might be interested to get my patches. Please see: https://github.com/airtower-luna/mod_gnutls/wiki I might create a branch aggregating all my work later, but I kind of want to complete the proxy TLS support first. And while I can't merge into the upstream repository, I'd be happy to collect useful patches. ;-) Best regards, Thomas Am 07.02.2015 um 21:33 schrieb Ramkumar Chinchani: > Hi Daniel, > > IMO, there are some good patches being contributed on the mailing list. > While I understand that the project needs to be conservative in what gets > accepted so as to not break things, I fear some good work is getting lost. > > Perhaps, these can go into an "experimental" branch/tag so that they are > available at a central place. > > Thoughts/comments/guidelines? > > > > _______________________________________________ > mod_gnutls-devel mailing list > mod_gnutls-devel at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel > From calderon.thomas at gmail.com Mon Feb 16 14:40:13 2015 From: calderon.thomas at gmail.com (Thomas Calderon) Date: Mon, 16 Feb 2015 14:40:13 +0100 Subject: [mod_gnutls-devel] Patches In-Reply-To: <54E0BB9F.7080703@uni-dortmund.de> References: <54E0BB9F.7080703@uni-dortmund.de> Message-ID: Hi, Nikos sent the patch below a couple months ago. It is a great addition to mod_gnutls and could be aggregated with other mod_gnutls patches. Hello, The attached patch adds PKCS #11/TPM support to mod_gnutls. The objects (keys and certificates), can be specified as PKCS #11 URLs [0], and you can see those URLs using gnutls' p11tool. Most probably some better documentation of these URLs is needed. This requires gnutls 3.1.3 or later, and as a side-effect this patch allows encrypted keys to be loaded by mod_gnutls (PKCS #8/#12 and openssl format). regards, Nikos [0]. http://www.gnutls .org/manual/html_node/Reading-objects.html#Reading-objects Cheers, Thomas Calderon On Sun, Feb 15, 2015 at 4:30 PM, Thomas Klute wrote: > Hi all, > > I've added a wiki page to my mod_gnutls repository on Github. That's no > replacement for upstream merges, but it should hopefully make it easier > for anyone who might be interested to get my patches. Please see: > > https://github.com/airtower-luna/mod_gnutls/wiki > > I might create a branch aggregating all my work later, but I kind of > want to complete the proxy TLS support first. And while I can't merge > into the upstream repository, I'd be happy to collect useful patches. ;-) > > Best regards, > Thomas > > Am 07.02.2015 um 21:33 schrieb Ramkumar Chinchani: > > Hi Daniel, > > > > IMO, there are some good patches being contributed on the mailing list. > > While I understand that the project needs to be conservative in what gets > > accepted so as to not break things, I fear some good work is getting > lost. > > > > Perhaps, these can go into an "experimental" branch/tag so that they are > > available at a central place. > > > > Thoughts/comments/guidelines? > > > > > > > > _______________________________________________ > > mod_gnutls-devel mailing list > > mod_gnutls-devel at lists.gnutls.org > > http://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel > > > > _______________________________________________ > mod_gnutls-devel mailing list > mod_gnutls-devel at lists.gnutls.org > http://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Use-the-new-3.1.3-GnuTLS-APIs-to-obtain-private-keys.patch.gz Type: application/x-gzip Size: 12676 bytes Desc: not available URL: From thomas2.klute at uni-dortmund.de Mon Feb 16 17:09:37 2015 From: thomas2.klute at uni-dortmund.de (Thomas Klute) Date: Mon, 16 Feb 2015 17:09:37 +0100 Subject: [mod_gnutls-devel] [SECURITY PATCH] TLS client auth ignores verification result Message-ID: <54E21641.1050208@uni-dortmund.de> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi everyone, I've discovered a security problem with TLS client auth in mod_gnutls: The result of peer verification was ignored in the authentication hook if no directory specific policy was set. I first tried to contact the maintainer privately to get an updated version published before disclosing the issue, but today I noticed that Marc Ende had already reported what appears to be the same issue on this list back in May 2014 [1], before I became interested in mod_gnutls. As such, the issue is already public, and there's no reason to delay publishing the patch. I have pushed my client-verify-fix branch containing the patch to Github [2]. The critical commit is 5a8a32bbfb8a83fe6358c5c31c443325a7775fc2 [3], and I have attached the patch to this mail, too. The client-verify-fix branch also contains my previous bug fixes for reverse proxy operation and an improved test suite, which includes a new test case "18_client_verification_wrong_cert" that checks if a client with an invalid certificate correctly receives a "403 Forbidden" response when client auth is required. If you want to apply only the client auth patch, I suggest to cherry pick the aforementioned commit. Regards, Thomas Klute [1] http://lists.gnupg.org/pipermail/mod_gnutls-devel/2014-May/000078.html [2] https://github.com/airtower-luna/mod_gnutls/tree/client-verify-fix [3] https://github.com/airtower-luna/mod_gnutls/commit/5a8a32bbfb8a83fe6358c5c31c443325a7775fc2 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJU4hZBAAoJEGFFnFKHdoxTDgMP/2OaxqDLvCQKD3rP7Bkb8SQg 0kuB7EN00J8mZDW0+3Wpcq6aen5pk+uJdPuMIehVjDJbgB4so9uMLlLmPUW9SLEs fKOoaddlNWq7GSalthDg2kuHbI/9K0GaglWNs40E2CzjSl7TuwuFklDeCbhZ0KFF VXwoGnGuN1SFX3raVrExq6PSXrqUHoBDjCbGMBI1X0QC3K8EKHqeB3bWuwpepR2k ZKX9yxt7Tub2htub0Z5hJlE7wS0X0sGQiIKFeCvh0n4qQFo0GPr/+cxElcaXupRw NTFLVuTFCQiYndzy++DvZjxD2vRClgySEXOC32ixktEU3iUpCu5ECo/MQ/6SYuQf ARRs823tROgPDDbprtI/RdgUDTvGRP+Kb14PQNid/uUqmWy/ej8x/YjmcEfMDrF3 UEXOl/9BfMXra/S9g0tKczC6/tsfo+qhIThlI+Yl/RjeMFnTu6q6SFdZ5oEoObVJ vDF/c4p4E8tKRVk4qbrV+BAHtmOTh6YIKGB3fKrS9NdrCZshJGRxkxT8K0NkYLKj xixX+LyvoFZ3rTW7VJLSwUL96TtdeZgr5SowAzY5QiziW9QWwyGC/IF6x81d//6s rj4ztzHPWCJsn6a918RmzZTsgbZ2hxrrAtGTuvZcqCA86SkbEVLzj1hxOWX5ZSFS er67HdzZh/0AoCjtmg/o =47lL -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-TLS-Client-auth-Check-server-verify-mode-if-unset-fo.patch Type: text/x-patch Size: 2123 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-TLS-Client-auth-Check-server-verify-mode-if-unset-fo.patch.sig Type: application/pgp-signature Size: 543 bytes Desc: not available URL: From thomas2.klute at uni-dortmund.de Wed Feb 18 14:13:08 2015 From: thomas2.klute at uni-dortmund.de (Thomas Klute) Date: Wed, 18 Feb 2015 14:13:08 +0100 Subject: [mod_gnutls-devel] Patches In-Reply-To: References: <54E0BB9F.7080703@uni-dortmund.de> Message-ID: <54E48FE4.6050608@uni-dortmund.de> Hi, PKCS #11/TPM support definitely looks interesting! The patch doesn't apply cleanly to current master, though, so I've pulled it from Nikos' repository [1] and pushed to a separate branch [2]. Since it's a large patch it'll probably be a while until I can get a good look at it. If anyone wants to start removing the merge conflicts with master: post patches or pull requests! ;-) Regards, Thomas [1] https://github.com/nmav/mod_gnutls [2] https://github.com/airtower-luna/mod_gnutls/tree/from-nmav Am 16.02.2015 um 14:40 schrieb Thomas Calderon: > Hi, > > > Nikos sent the patch below a couple months ago. > It is a great addition to mod_gnutls and could be aggregated with other > mod_gnutls patches. > > > Hello, > The attached patch adds PKCS #11/TPM support to mod_gnutls. The > objects (keys and certificates), can be specified as PKCS #11 URLs > [0], and you can see those URLs using gnutls' p11tool. Most probably > some better documentation of these URLs is needed. > This requires gnutls 3.1.3 or later, and as a side-effect this patch > allows encrypted keys to be loaded by mod_gnutls (PKCS #8/#12 and > openssl format). > regards, > Nikos > [0]. http://www.gnutls > .org/manual/html_node/Reading-objects.html#Reading-objects > > > Cheers, > > Thomas Calderon > > > On Sun, Feb 15, 2015 at 4:30 PM, Thomas Klute > wrote: > >> Hi all, >> >> I've added a wiki page to my mod_gnutls repository on Github. That's no >> replacement for upstream merges, but it should hopefully make it easier >> for anyone who might be interested to get my patches. Please see: >> >> https://github.com/airtower-luna/mod_gnutls/wiki >> >> I might create a branch aggregating all my work later, but I kind of >> want to complete the proxy TLS support first. And while I can't merge >> into the upstream repository, I'd be happy to collect useful patches. ;-) >> >> Best regards, >> Thomas >> >> Am 07.02.2015 um 21:33 schrieb Ramkumar Chinchani: >>> Hi Daniel, >>> >>> IMO, there are some good patches being contributed on the mailing list. >>> While I understand that the project needs to be conservative in what gets >>> accepted so as to not break things, I fear some good work is getting >> lost. >>> >>> Perhaps, these can go into an "experimental" branch/tag so that they are >>> available at a central place. >>> >>> Thoughts/comments/guidelines? >>> >>> >>> >>> _______________________________________________ >>> mod_gnutls-devel mailing list >>> mod_gnutls-devel at lists.gnutls.org >>> http://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel >>> >> >> _______________________________________________ >> mod_gnutls-devel mailing list >> mod_gnutls-devel at lists.gnutls.org >> http://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel >> > From ramkumar.chinchani at gmail.com Tue Feb 24 21:00:46 2015 From: ramkumar.chinchani at gmail.com (Ramkumar Chinchani) Date: Tue, 24 Feb 2015 12:00:46 -0800 Subject: [mod_gnutls-devel] cURL patch for RFC 6091 Message-ID: Thought it might be useful to share since RFC 6091 requires both server and client support to work. FYI: http://curl.haxx.se/mail/lib-2015-02/0188.html Regards.