Your message dated Sat, 12 Nov 2022 11:16:27 +0100
with message-id <[email protected]>
and subject line Request no longer relevant
has caused the Debian Bug report #797747,
regarding Please implement client certificate support
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
797747: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=797747
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: netsurf
Version: 3.2+dfsg-2.2
Severity: wishlist
Tags: patch

Hello,

I tried out netsurf to see if and how it could access Debian sites using
client cert authentication[1]. As it is it does not work, but with this
three line change, and certificate files stored locally on disk, I can
successfully access the site authenticated as myself:

--- netsurf-3.2+dfsg/netsurf/content/fetchers/curl.c    2014-08-28 
21:08:04.000000000 +0200
+++ netsurf-3.2+dfsg-enrico/netsurf/content/fetchers/curl.c     2015-09-02 
10:37:08.000000000 +0200
@@ -233,6 +233,10 @@
        SETOPT(CURLOPT_NOSIGNAL, 1L);
        SETOPT(CURLOPT_CONNECTTIMEOUT, 30L);
 
+       SETOPT(CURLOPT_SSLCERTTYPE, "PEM");
+       SETOPT(CURLOPT_SSLCERT, "enrico.crt");
+       SETOPT(CURLOPT_SSLKEY, "enrico.key");
+
        if (nsoption_charp(ca_bundle) && 
            strcmp(nsoption_charp(ca_bundle), "")) {
                LOG(("ca_bundle: '%s'", nsoption_charp(ca_bundle)));

I took this code[3] as example, and I think it's a useful reference for
other features like passing a passphrase to read an encrypted private
key.

I do not know enough of netsurf to dig in and provide a comprehensive
patch with UI support for it, but I think a nice first step would be to
have this work hackishly via the environment, as it would turn the
support from "impossible" to "possible if you follow these steps".

With the attached patch, if I run:

   ./nsgtk https://contributors.debian.org

then I can browse unauthenticated, and if I run:

   NETSURF_CLIENT_CERT_CRT=enrico.crt NETSURF_CLIENT_CERT_KEY=enrico.key 
./nsgtk https://contributors.debian.org

then the site recognises me, and I explode with delight.


Thanks!

Enrico



[1] https://wiki.debian.org/DebianSingleSignOn
[2] https://sso.debian.org/spkac/enroll_manually
[3] http://curl.haxx.se/libcurl/c/simplessl.html

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages netsurf depends on:
ii  netsurf-gtk  3.2+dfsg-2.2

netsurf recommends no packages.

netsurf suggests no packages.

-- no debconf information
diff -Naur netsurf-3.2+dfsg/netsurf/content/fetchers/curl.c netsurf-3.2+dfsg-enrico/netsurf/content/fetchers/curl.c
--- netsurf-3.2+dfsg/netsurf/content/fetchers/curl.c	2014-08-28 21:08:04.000000000 +0200
+++ netsurf-3.2+dfsg-enrico/netsurf/content/fetchers/curl.c	2015-09-02 10:43:40.000000000 +0200
@@ -233,6 +233,18 @@
 	SETOPT(CURLOPT_NOSIGNAL, 1L);
 	SETOPT(CURLOPT_CONNECTTIMEOUT, 30L);
 
+    /* Use client certificates if the user asks for it in the environment */
+    {
+        const char* client_cert_crt = getenv("NETSURF_CLIENT_CERT_CRT");
+        const char* client_cert_key = getenv("NETSURF_CLIENT_CERT_KEY");
+        if (client_cert_crt && client_cert_key)
+        {
+            SETOPT(CURLOPT_SSLCERTTYPE, "PEM");
+            SETOPT(CURLOPT_SSLCERT, client_cert_crt);
+            SETOPT(CURLOPT_SSLKEY, client_cert_key);
+        }
+    }
+
 	if (nsoption_charp(ca_bundle) && 
 	    strcmp(nsoption_charp(ca_bundle), "")) {
 		LOG(("ca_bundle: '%s'", nsoption_charp(ca_bundle)));

--- End Message ---
--- Begin Message ---
Hello,

Debian client certificates are going away, so I guess this bug can be
closed: https://lists.debian.org/debian-devel-announce/2022/11/msg00000.html


Thanks,

Enrico

-- 
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <[email protected]>

--- End Message ---

Reply via email to