Package: netsurf
Version: 3.2+dfsg-2.2
Severity: wishlist
Tags: patch
Hello,
I tried out netsurf to see if and how it could access Debian sites using
client cert authentication[1]. As it is it does not work, but with this
three line change, and certificate files stored locally on disk, I can
successfully access the site authenticated as myself:
--- netsurf-3.2+dfsg/netsurf/content/fetchers/curl.c 2014-08-28
21:08:04.000000000 +0200
+++ netsurf-3.2+dfsg-enrico/netsurf/content/fetchers/curl.c 2015-09-02
10:37:08.000000000 +0200
@@ -233,6 +233,10 @@
SETOPT(CURLOPT_NOSIGNAL, 1L);
SETOPT(CURLOPT_CONNECTTIMEOUT, 30L);
+ SETOPT(CURLOPT_SSLCERTTYPE, "PEM");
+ SETOPT(CURLOPT_SSLCERT, "enrico.crt");
+ SETOPT(CURLOPT_SSLKEY, "enrico.key");
+
if (nsoption_charp(ca_bundle) &&
strcmp(nsoption_charp(ca_bundle), "")) {
LOG(("ca_bundle: '%s'", nsoption_charp(ca_bundle)));
I took this code[3] as example, and I think it's a useful reference for
other features like passing a passphrase to read an encrypted private
key.
I do not know enough of netsurf to dig in and provide a comprehensive
patch with UI support for it, but I think a nice first step would be to
have this work hackishly via the environment, as it would turn the
support from "impossible" to "possible if you follow these steps".
With the attached patch, if I run:
./nsgtk https://contributors.debian.org
then I can browse unauthenticated, and if I run:
NETSURF_CLIENT_CERT_CRT=enrico.crt NETSURF_CLIENT_CERT_KEY=enrico.key
./nsgtk https://contributors.debian.org
then the site recognises me, and I explode with delight.
Thanks!
Enrico
[1] https://wiki.debian.org/DebianSingleSignOn
[2] https://sso.debian.org/spkac/enroll_manually
[3] http://curl.haxx.se/libcurl/c/simplessl.html
-- System Information:
Debian Release: stretch/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages netsurf depends on:
ii netsurf-gtk 3.2+dfsg-2.2
netsurf recommends no packages.
netsurf suggests no packages.
-- no debconf information
diff -Naur netsurf-3.2+dfsg/netsurf/content/fetchers/curl.c netsurf-3.2+dfsg-enrico/netsurf/content/fetchers/curl.c
--- netsurf-3.2+dfsg/netsurf/content/fetchers/curl.c 2014-08-28 21:08:04.000000000 +0200
+++ netsurf-3.2+dfsg-enrico/netsurf/content/fetchers/curl.c 2015-09-02 10:43:40.000000000 +0200
@@ -233,6 +233,18 @@
SETOPT(CURLOPT_NOSIGNAL, 1L);
SETOPT(CURLOPT_CONNECTTIMEOUT, 30L);
+ /* Use client certificates if the user asks for it in the environment */
+ {
+ const char* client_cert_crt = getenv("NETSURF_CLIENT_CERT_CRT");
+ const char* client_cert_key = getenv("NETSURF_CLIENT_CERT_KEY");
+ if (client_cert_crt && client_cert_key)
+ {
+ SETOPT(CURLOPT_SSLCERTTYPE, "PEM");
+ SETOPT(CURLOPT_SSLCERT, client_cert_crt);
+ SETOPT(CURLOPT_SSLKEY, client_cert_key);
+ }
+ }
+
if (nsoption_charp(ca_bundle) &&
strcmp(nsoption_charp(ca_bundle), "")) {
LOG(("ca_bundle: '%s'", nsoption_charp(ca_bundle)));
