Your message dated Sat, 12 Nov 2022 11:16:27 +0100 with message-id <[email protected]> and subject line Request no longer relevant has caused the Debian Bug report #797747, regarding Please implement client certificate support to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 797747: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797747 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: netsurf Version: 3.2+dfsg-2.2 Severity: wishlist Tags: patch Hello, I tried out netsurf to see if and how it could access Debian sites using client cert authentication[1]. As it is it does not work, but with this three line change, and certificate files stored locally on disk, I can successfully access the site authenticated as myself: --- netsurf-3.2+dfsg/netsurf/content/fetchers/curl.c 2014-08-28 21:08:04.000000000 +0200 +++ netsurf-3.2+dfsg-enrico/netsurf/content/fetchers/curl.c 2015-09-02 10:37:08.000000000 +0200 @@ -233,6 +233,10 @@ SETOPT(CURLOPT_NOSIGNAL, 1L); SETOPT(CURLOPT_CONNECTTIMEOUT, 30L); + SETOPT(CURLOPT_SSLCERTTYPE, "PEM"); + SETOPT(CURLOPT_SSLCERT, "enrico.crt"); + SETOPT(CURLOPT_SSLKEY, "enrico.key"); + if (nsoption_charp(ca_bundle) && strcmp(nsoption_charp(ca_bundle), "")) { LOG(("ca_bundle: '%s'", nsoption_charp(ca_bundle))); I took this code[3] as example, and I think it's a useful reference for other features like passing a passphrase to read an encrypted private key. I do not know enough of netsurf to dig in and provide a comprehensive patch with UI support for it, but I think a nice first step would be to have this work hackishly via the environment, as it would turn the support from "impossible" to "possible if you follow these steps". With the attached patch, if I run: ./nsgtk https://contributors.debian.org then I can browse unauthenticated, and if I run: NETSURF_CLIENT_CERT_CRT=enrico.crt NETSURF_CLIENT_CERT_KEY=enrico.key ./nsgtk https://contributors.debian.org then the site recognises me, and I explode with delight. Thanks! Enrico [1] https://wiki.debian.org/DebianSingleSignOn [2] https://sso.debian.org/spkac/enroll_manually [3] http://curl.haxx.se/libcurl/c/simplessl.html -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages netsurf depends on: ii netsurf-gtk 3.2+dfsg-2.2 netsurf recommends no packages. netsurf suggests no packages. -- no debconf informationdiff -Naur netsurf-3.2+dfsg/netsurf/content/fetchers/curl.c netsurf-3.2+dfsg-enrico/netsurf/content/fetchers/curl.c --- netsurf-3.2+dfsg/netsurf/content/fetchers/curl.c 2014-08-28 21:08:04.000000000 +0200 +++ netsurf-3.2+dfsg-enrico/netsurf/content/fetchers/curl.c 2015-09-02 10:43:40.000000000 +0200 @@ -233,6 +233,18 @@ SETOPT(CURLOPT_NOSIGNAL, 1L); SETOPT(CURLOPT_CONNECTTIMEOUT, 30L); + /* Use client certificates if the user asks for it in the environment */ + { + const char* client_cert_crt = getenv("NETSURF_CLIENT_CERT_CRT"); + const char* client_cert_key = getenv("NETSURF_CLIENT_CERT_KEY"); + if (client_cert_crt && client_cert_key) + { + SETOPT(CURLOPT_SSLCERTTYPE, "PEM"); + SETOPT(CURLOPT_SSLCERT, client_cert_crt); + SETOPT(CURLOPT_SSLKEY, client_cert_key); + } + } + if (nsoption_charp(ca_bundle) && strcmp(nsoption_charp(ca_bundle), "")) { LOG(("ca_bundle: '%s'", nsoption_charp(ca_bundle)));
--- End Message ---
--- Begin Message ---Hello, Debian client certificates are going away, so I guess this bug can be closed: https://lists.debian.org/debian-devel-announce/2022/11/msg00000.html Thanks, Enrico -- GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <[email protected]>
--- End Message ---

