Debian Bug report logs - #797747
Please implement client certificate support

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Enrico Zini <enrico@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Please implement client certificate support

Date: Wed, 02 Sep 2015 10:49:18 +0200

[Message part 1 (text/plain, inline)]

Package: netsurf
Version: 3.2+dfsg-2.2
Severity: wishlist
Tags: patch

Hello,

I tried out netsurf to see if and how it could access Debian sites using
client cert authentication[1]. As it is it does not work, but with this
three line change, and certificate files stored locally on disk, I can
successfully access the site authenticated as myself:

--- netsurf-3.2+dfsg/netsurf/content/fetchers/curl.c    2014-08-28 21:08:04.000000000 +0200
+++ netsurf-3.2+dfsg-enrico/netsurf/content/fetchers/curl.c     2015-09-02 10:37:08.000000000 +0200
@@ -233,6 +233,10 @@
        SETOPT(CURLOPT_NOSIGNAL, 1L);
        SETOPT(CURLOPT_CONNECTTIMEOUT, 30L);
 
+       SETOPT(CURLOPT_SSLCERTTYPE, "PEM");
+       SETOPT(CURLOPT_SSLCERT, "enrico.crt");
+       SETOPT(CURLOPT_SSLKEY, "enrico.key");
+
        if (nsoption_charp(ca_bundle) && 
            strcmp(nsoption_charp(ca_bundle), "")) {
                LOG(("ca_bundle: '%s'", nsoption_charp(ca_bundle)));

I took this code[3] as example, and I think it's a useful reference for
other features like passing a passphrase to read an encrypted private
key.

I do not know enough of netsurf to dig in and provide a comprehensive
patch with UI support for it, but I think a nice first step would be to
have this work hackishly via the environment, as it would turn the
support from "impossible" to "possible if you follow these steps".

With the attached patch, if I run:

   ./nsgtk https://contributors.debian.org

then I can browse unauthenticated, and if I run:

   NETSURF_CLIENT_CERT_CRT=enrico.crt NETSURF_CLIENT_CERT_KEY=enrico.key ./nsgtk https://contributors.debian.org

then the site recognises me, and I explode with delight.


Thanks!

Enrico



[1] https://wiki.debian.org/DebianSingleSignOn
[2] https://sso.debian.org/spkac/enroll_manually
[3] http://curl.haxx.se/libcurl/c/simplessl.html

-- System Information:
Debian Release: stretch/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages netsurf depends on:
ii  netsurf-gtk  3.2+dfsg-2.2

netsurf recommends no packages.

netsurf suggests no packages.

-- no debconf information

[netsurf-client-certs.patch (text/x-diff, attachment)]

Message #10 received at 797747-done@bugs.debian.org (full text, mbox, reply):

From: Enrico Zini <enrico@enricozini.org>

To: 797747-done@bugs.debian.org

Subject: Request no longer relevant

Date: Sat, 12 Nov 2022 11:16:27 +0100

Hello,

Debian client certificates are going away, so I guess this bug can be
closed: https://lists.debian.org/debian-devel-announce/2022/11/msg00000.html


Thanks,

Enrico

-- 
GPG key: 4096R/634F4BD1E7AD5568 2009-05-08 Enrico Zini <enrico@enricozini.org>

Send a report that this bug log contains spam.