Debian Bug report logs - #797066
Please implement https client certificate authentication (patch included)

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Enrico Zini <enrico@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Please implement https client certificate authentication (patch included)

Date: Thu, 27 Aug 2015 16:35:39 +0200

[Message part 1 (text/plain, inline)]

Package: links
Version: 2.10-1
Severity: normal
Tags: patch

Hello,

we have implemented a new experimental single signon for Debian based on
client certificates:
https://lists.debian.org/debian-devel/2015/08/msg00539.html
and while evaluating its accessibility:
https://lists.debian.org/debian-accessibility/2015/08/msg00070.html
it turned out that at the moment no text-based browser supports it.

Let's fix that.

Please find attached a patch that makes links work with client
certificates.

With that patch applied, I can do:

  links2 https://contributors.debian.org
  (shows login button)

and:

  links2 -http.client_cert_key enrico.key -http.client_cert_crt enrico.crt https://contributors.debian.org
  (shows me logged in)

If you want to test it, you can go to https://sso.debian.org/spkac/enroll_manually/
to obtain a local key/crt pair for your Debian or Alioth account.


Enrico

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages links depends on:
ii  libbz2-1.0   1.0.6-8
ii  libc6        2.19-19
ii  libgpm2      1.20.4-6.1+b2
ii  liblzma5     5.1.1alpha+20120614-2.1
ii  libssl1.0.0  1.0.2d-1
ii  zlib1g       1:1.2.8.dfsg-2+b1

links recommends no packages.

links suggests no packages.

-- no debconf information

[links-client-certs.patch (text/x-diff, attachment)]

Message #10 received at 797066@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: Enrico Zini <enrico@debian.org>, 797066@bugs.debian.org

Subject: Re: Bug#797066: Please implement https client certificate authentication (patch included)

Date: Thu, 27 Aug 2015 16:52:59 +0200

Hi Enrico,

Enrico Zini wrote:
> we have implemented a new experimental single signon for Debian based on
> client certificates:
> https://lists.debian.org/debian-devel/2015/08/msg00539.html
> and while evaluating its accessibility:
> https://lists.debian.org/debian-accessibility/2015/08/msg00070.html
> it turned out that at the moment no text-based browser supports it.
> 
> Let's fix that.

*sigh* You're working hard on removing all my arguments against
mandatory client certificate authentication, right? ;-)

> Please find attached a patch that makes links work with client
> certificates.

Thanks! I would have expected the patch to be much bigger.

> With that patch applied, I can do:
> 
>   links2 https://contributors.debian.org
>   (shows login button)
> 
> and:
> 
>   links2 -http.client_cert_key enrico.key -http.client_cert_crt enrico.crt https://contributors.debian.org
>   (shows me logged in)
> 
> If you want to test it, you can go to https://sso.debian.org/spkac/enroll_manually/
> to obtain a local key/crt pair for your Debian or Alioth account.

Thanks for the detailed instructions. Will use that to test the build
binary.

I'm though concerned about having obviously unencrypted client-certs +
keys lounging around on my hard disk (even with disk-encryption) which
give access to quite some Debian infrastructure.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Message #15 received at 797066@bugs.debian.org (full text, mbox, reply):

From: Enrico Zini <enrico@debian.org>

To: Axel Beckert <abe@debian.org>

Cc: 797066@bugs.debian.org

Subject: Re: Bug#797066: Please implement https client certificate authentication (patch included)

Date: Thu, 27 Aug 2015 17:39:12 +0200

[Message part 1 (text/plain, inline)]

On Thu, Aug 27, 2015 at 04:52:59PM +0200, Axel Beckert wrote:

> > Please find attached a patch that makes links work with client
> > certificates.
> Thanks! I would have expected the patch to be much bigger.

Indeed, just two lines.

> I'm though concerned about having obviously unencrypted client-certs +
> keys lounging around on my hard disk (even with disk-encryption) which
> give access to quite some Debian infrastructure.

Good point: I only messed with links' code as far as I was comfortable.

In https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_use_certificate.html
it says:

  The private keys loaded from file can be encrypted. In order to
  successfully load encrypted keys, a function returning the passphrase
  must have been supplied, see SSL_CTX_set_default_passwd_cb.
  (Certificate files might be encrypted as well from the technical point
  of view, it however does not make sense as the data in the certificate
  is considered public anyway.)

It seems to be just a matter of adding a callback to the SSL_CTX in the
same getSSL function:

  https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_default_passwd_cb.html

I imagine links already has code to prompt the user for a password that
can be used by such a callback, but I don't know the code well enough to
find out.


Enrico

-- 
GPG key: 4096R/E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 797066@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: Enrico Zini <enrico@debian.org>

Cc: 797066@bugs.debian.org

Subject: Re: Bug#797066: Please implement https client certificate authentication (patch included)

Date: Thu, 27 Aug 2015 18:00:35 +0200

Hi Enrico,

Enrico Zini wrote:
> > I'm though concerned about having obviously unencrypted client-certs +
> > keys lounging around on my hard disk (even with disk-encryption) which
> > give access to quite some Debian infrastructure.
> 
> Good point: I only messed with links' code as far as I was comfortable.

That was not meant as criticism on your patch or a request for a
extended patch. It was rather an expression of my disliking of the
idea to make client-cert authentication mandatory for some Debian
services.

> In https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_use_certificate.html
> it says:
> 
>   The private keys loaded from file can be encrypted. In order to
>   successfully load encrypted keys, a function returning the passphrase
>   must have been supplied, see SSL_CTX_set_default_passwd_cb.
>   (Certificate files might be encrypted as well from the technical point
>   of view, it however does not make sense as the data in the certificate
>   is considered public anyway.)
>
> It seems to be just a matter of adding a callback to the SSL_CTX in the
> same getSSL function:
> 
>   https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_default_passwd_cb.html
> 
> I imagine links already has code to prompt the user for a password that
> can be used by such a callback, but I don't know the code well enough to
> find out.

Me neither. I'll apply (and test) your patch and pass it and these
hints about how to load encrypted keys to upstream.

Thanks again for your effort.

		Regards, Axel
-- 
 ,''`.  |  Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' :  |  Debian Developer, ftp.ch.debian.org Admin
`. `'   |  4096R: 2517 B724 C5F6 CA99 5329  6E61 2FF9 CD59 6126 16B5
  `-    |  1024D: F067 EA27 26B9 C3FC 1486  202E C09E 1D89 9593 0EDE

Message #27 received at 797066-close@bugs.debian.org (full text, mbox, reply):

From: Axel Beckert <abe@debian.org>

To: 797066-close@bugs.debian.org

Subject: Bug#797066: fixed in links2 2.10-2

Date: Thu, 27 Aug 2015 22:00:35 +0000

Source: links2
Source-Version: 2.10-2

We believe that the bug you reported is fixed in the latest version of
links2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 797066@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Axel Beckert <abe@debian.org> (supplier of updated links2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Thu, 27 Aug 2015 22:42:23 +0200
Source: links2
Binary: links2 links
Architecture: source amd64
Version: 2.10-2
Distribution: unstable
Urgency: medium
Maintainer: Axel Beckert <abe@debian.org>
Changed-By: Axel Beckert <abe@debian.org>
Description:
 links      - Web browser running in text mode
 links2     - Web browser running in both graphics and text mode
Closes: 797066
Changes:
 links2 (2.10-2) unstable; urgency=medium
 .
   * Fix typo in patch description.
   * Add patch for basic client certificate support by Enrico
     Zini. (Closes: #797066) Thanks!
Checksums-Sha1:
 35a7ba7fb0cc0b8a3db4463402955e81550a4445 2064 links2_2.10-2.dsc
 dc642d39f56bad3d5beecdb410597e77b8bdf644 13964 links2_2.10-2.debian.tar.xz
 8bf5f7f8b9599bbf7bc1d4f7a7fc53a6e157e191 2888888 links2_2.10-2_amd64.deb
 73554e6346c13fb85578f14c9e4e0402fa45ec7e 428492 links_2.10-2_amd64.deb
Checksums-Sha256:
 f4cd392a1a6e93393ba80d65f5ff7fb0880b58d639f7e8bf9cbaa88d44105f01 2064 links2_2.10-2.dsc
 2fbefdaed1864fd4e21b2dd8aed477e3954a7edd69bc16bb1cecd4ebcf16295c 13964 links2_2.10-2.debian.tar.xz
 32a18b56ff8837854ff5348af0d17444763d434d93ce7c11bec8b8152f3812ae 2888888 links2_2.10-2_amd64.deb
 e98603ed9ccb93a54a918801e4eedba33e9fd0fd31ef87c048c4a0f0932efd89 428492 links_2.10-2_amd64.deb
Files:
 cc5012925a2348deec83cbb44400a4be 2064 web optional links2_2.10-2.dsc
 989e0c70d54eca1723edcece79df6317 13964 web optional links2_2.10-2.debian.tar.xz
 bfce16138136babaf00d6bf49dbf5730 2888888 web optional links2_2.10-2_amd64.deb
 05fcd9b77e183f7739ff6d4b00447516 428492 web optional links_2.10-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJV33bDAAoJEGvmY8daNcl1q8AP/0zGZOQxxZ9H0kac3ogDhNDB
WKu6LeOCORN443ExdSOqIPxmbCIehPzGQ1759LF25TrXLb2ArSA4ZzAT3lF5QY4d
WF66VfiHz7cTziTic0jYbG9iRvQGf/DIj6hLuU+VbRN8Qwnevoqr4zKbRQx9kHmy
+B656mZf5CvlDS/nmSTr/hJ+26cGhqb89XQ0wlHs16EiLRVaQCurfoxHrFIfbq1c
RLd9Rc7kcp85CHNFDXoyDOJM7/BPTKbP/6wSlPGUygIn7aGTcgatDQfVl7Xc9kPc
TPiCZX4GTkXMwhdTMzD7TcBSjB6PFalis4Lpd9O5ZR6OxEuldJx9va3PX/HJgifK
1R/3BtxmqI1P9TJI7t+mZgUjchC3FdMWmZ8WGZvmjV6Q7M6LOeD0IUcTDcR7jmqI
iqGSdV8fSdEmcF1DW4qlvebTgU6xF96W1OpRTWX75PqY/WaxmITrJ6tPxmcRzUMv
LJCXeEmnrlWt83V1FVYUMIDfJ9qigot9O/gvsqzGwpHQyHCG2O8mJVDw79C1/YnE
RFSBaoozG42Sw8IHpaHABJ2P+uoIAuWdpxlmI3cdWF3eWM3mE1cEe+FeePiB9Z1L
yd1O57oNMB/oU6bs6UslnKKFKNqmNMMXvcBSGdlRKeZAUVeZ1Dcw/0uu6g/hcy7J
fs0Ftzta7Fgu40mKczfu
=FbHd
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.