Your message dated Sat, 09 Jan 2021 15:38:37 +0100
with message-id <[email protected]>
and subject line Re: [pkg-uWSGI-devel] Bug#866005: Backport TLS Client
Certificate wsgi blob
has caused the Debian Bug report #866005,
regarding Backport TLS Client Certificate fixes
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
866005: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=866005
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: uwsgi
Severity: wishlist
thanks
Thanks for maintaining uwsgi,
Attached is a debdiff adding the ability to write the full x.509 DER
into the buffer for use by clients during runtime. This feature is
intended to allow clients to handle per-user ACL with the direct x.509
Certificate, without having to configure the webserver to extract the
right bits, which may or may not be custom extensions.
One such example would be using and extracting the UPN SAN, or some
other exotic extension at runtime.
This patch is already merged in master, and can be dropped when the next
release is tared up.
--
diff -Nru uwsgi-2.0.15/debian/changelog uwsgi-2.0.15/debian/changelog
--- uwsgi-2.0.15/debian/changelog 2017-06-20 06:00:19.000000000 -0400
+++ uwsgi-2.0.15/debian/changelog 2017-06-26 02:00:00.000000000 -0400
@@ -1,3 +1,14 @@
+uwsgi (2.0.15-2.1) UNRELEASED; urgency=medium
+
+ [ Paul Tagliamonte ]
+ * Backport an upstreamed patch to insert the validated x509 client
+ Certificate in the wsgi object.
+
+ [ Jonas Smedegaard ]
+ *
+
+ -- Jonas Smedegaard <[email protected]> Tue, 26 Jun 2017 08:00:00 +0200
+
uwsgi (2.0.15-2) unstable; urgency=medium
* Add patches cherry-picked upstream:
diff -Nru uwsgi-2.0.15/debian/patches/1015_write_x509_der.patch
uwsgi-2.0.15/debian/patches/1015_write_x509_der.patch
--- uwsgi-2.0.15/debian/patches/1015_write_x509_der.patch 1969-12-31
19:00:00.000000000 -0500
+++ uwsgi-2.0.15/debian/patches/1015_write_x509_der.patch 2017-06-26
02:00:00.000000000 -0400
@@ -0,0 +1,30 @@
+Description: Write x509 DER to the uwsgi buffer
+ This will write the full x.509 DER into the buffer for use by clients
+ during runtime. This feature is intended to allow clients to handle
+ per-user ACL with the direct x.509 Certificate, without having to
+ configure the webserver to extract the right bits, which may or may not
+ be custom extensions.
+ .
+ One such example would be using and extracting the UPN SAN, or some
+ other exotic extension.
+Author: Paul Tagliamomnte <[email protected]>
+Origin: upstream, https://github.com/unbit/uwsgi/pull/1562
+Last-Update: 2017-06-26
+
+diff --git a/plugins/http/https.c b/plugins/http/https.c
+index 4bb04c90..836ce09a 100644
+--- a/plugins/http/https.c
++++ b/plugins/http/https.c
+@@ -179,6 +179,12 @@ int hr_https_add_vars(struct http_session *hr, struct
corerouter_peer *peer, str
+ #endif
+ hr->ssl_client_cert = SSL_get_peer_certificate(hr->ssl);
+ if (hr->ssl_client_cert) {
++ int client_cert_len;
++ unsigned char *client_cert_der = NULL;
++ client_cert_len = i2d_X509(hr->ssl_client_cert,
&client_cert_der);
++ if (client_cert_len < 0) return -1;
++ if (uwsgi_buffer_append_keyval(out,
"HTTPS_CLIENT_CERTIFICATE", 24, (char*)client_cert_der, client_cert_len))
return -1;
++
+ X509_NAME *name =
X509_get_subject_name(hr->ssl_client_cert);
+ if (name) {
+ hr->ssl_client_dn = X509_NAME_oneline(name,
NULL, 0);
diff -Nru uwsgi-2.0.15/debian/patches/series uwsgi-2.0.15/debian/patches/series
--- uwsgi-2.0.15/debian/patches/series 2017-06-20 05:59:17.000000000 -0400
+++ uwsgi-2.0.15/debian/patches/series 2017-06-26 02:00:00.000000000 -0400
@@ -8,3 +8,4 @@
1005_avoid_auto_ptr.patch
1009_fix_java_paths.patch
1010_support_java_pass_includes.patch
+1015_write_x509_der.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Version: debian/2.0.17.1-1
Quoting Paul Tagliamonte (2017-06-26 16:09:39)
> Attached is a debdiff adding the ability to write the full x.509 DER
> into the buffer for use by clients during runtime. This feature is
> intended to allow clients to handle per-user ACL with the direct x.509
> Certificate, without having to configure the webserver to extract the
> right bits, which may or may not be custom extensions.
>
> One such example would be using and extracting the UPN SAN, or some
> other exotic extension at runtime.
>
> This patch is already merged in master, and can be dropped when the next
> release is tared up.
This was merged into upstream release 2.0.16 and included in Debian
since debian/2.0.17.1-1
Thanks for reporting,
- Jonas
--
* Jonas Smedegaard - idealist & Internet-arkitekt
* Tlf.: +45 40843136 Website: http://dr.jones.dk/
[x] quote me freely [ ] ask before reusing [ ] keep private
signature.asc
Description: signature
--- End Message ---
