libmicrohttpd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [libmicrohttpd] problem in client certificate authentication example


From: Christian Grothoff
Subject: Re: [libmicrohttpd] problem in client certificate authentication example?
Date: Tue, 2 Mar 2021 16:21:51 +0100
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.12.0

Thanks, I've fixed the documentation in Git already. -Christian

On 3/2/21 3:42 PM, folkert wrote:
> Hi,
> 
> (I've sent an e-mail about this possible problem to the maintainer
> as well)
> 
> https://www.gnu.org/software/libmicrohttpd/tutorial.html#Adding-a-layer-of-security
> shows an example for performing client certificate authentication.
> 
> The function get_client_certificate invokes
> gnutls_certificate_verify_peers2 to verify the validness of the
> certificate.
> That gnutls_certificate_verify_peers2 function returns a result code but
> also a status-code. According to
> https://www.gnutls.org/manual/html_node/Core-TLS-API.html the result
> code only tells you whether the evaluation itself went well, not if the
> certificate is valid. For that second part, one would need to evaluate
> the second parameter ("unsigned int * status") which contains the status
> of the certificate, see
> https://www.gnu.org/software/gnutls/reference/gnutls-gnutls.html#gnutls-certificate-status-t
> So only if that status (client_cert_status in the example) is 0, the
> certificate should be used.
> 
> In my opinion the example should be changed to verify that status as
> people may use the example "as is", potentially implementing
> security-problems in software using it.
> 
> Hopefully I'm wrong in my analysis!
> 
> 
> Regards,
> 
> Folkert van Heusden
> 



reply via email to

[Prev in Thread] Current Thread [Next in Thread]