From ae7ca3db3983321c0ada8416cc19f17190802f38 Mon Sep 17 00:00:00 2001 From: nytpu Date: Wed, 10 Feb 2021 18:14:41 -0700 Subject: Send client certificate hash for CGI scripts. Set SSL_VERIFY_PEER to request a client certificate from the server, when available. Have to shim the certificate verification function or else it will fail on self-signed client certs. In serve_cgi retrieve client certificate, create a fingerprint, and set proper environment variables. It's pretty barebones, it doesn't parse the certificate to give any other useful info like the common name, but it's acceptable IMO. For most CGI uses the fingerprint is the only thing that is needed anyways. --- src/tls.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'src/tls.c') diff --git a/src/tls.c b/src/tls.c index 26785a0..284cbef 100644 --- a/src/tls.c +++ b/src/tls.c @@ -14,6 +14,14 @@ #include "tls.h" #include "util.h" +static int +always_true_callback(X509_STORE_CTX *ctx, void *arg) +{ + (void)(ctx); + (void)(arg); + return 1; +} + static int tls_host_gencert(struct gmnisrv_tls *tlsconf, struct gmnisrv_host *host, const char *crtpath, const char *keypath) @@ -185,6 +193,9 @@ tls_init(struct gmnisrv_config *conf) assert(r == 1); SSL_CTX_set_tlsext_servername_callback(conf->tls.ssl_ctx, NULL); + SSL_CTX_set_verify(conf->tls.ssl_ctx, SSL_VERIFY_PEER, NULL); + // use always_true_callback to ignore errors such as self-signed error + SSL_CTX_set_cert_verify_callback(conf->tls.ssl_ctx, always_true_callback, NULL); // TLS re-negotiation is a fucking STUPID idea // I'm gating this behind an #ifdef based on an optimistic assumption -- cgit v1.2.3