| commit | fb87ae860481cd2ab3da9451faaaf7987ae8a645 | |
| author | Glenn Strauss <gstrauss@gluelogic.com> | |
| Sun, 21 May 2017 04:26:10 +0000 (21 00:26 -0400) | ||
| committer | Glenn Strauss <gstrauss@gluelogic.com> | |
| Sun, 21 May 2017 04:32:52 +0000 (21 00:32 -0400) | ||
| tree | 270065e21c3141f33003a48a5784a510a7c164ad | treesnapshot (tar.gz zip) |
| parent | e29f7d57389f687b9e22399252ad398b5d7316de | commitdiff |
[mod_openssl] safer_X509_NAME_oneline() (fixes #2693)
provide a safer X590_NAME_oneline() with return value semantics similar
to those of snprintf() and use safer_X509_NAME_oneline() to set
SSL_CLIENT_S_DN when client cert is validated.
The manpage for X509_NAME_oneline() says:
The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.
Besides X509_NAME_oneline() function being deprecated, until fairly recently, there was a security issue with the function, too.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176
The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
github: closes #63, closes #83
x-ref:
"support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DN"
https://redmine.lighttpd.net/issues/2693
https://github.com/lighttpd/lighttpd1.4/pull/63
https://github.com/lighttpd/lighttpd1.4/pull/83
provide a safer X590_NAME_oneline() with return value semantics similar
to those of snprintf() and use safer_X509_NAME_oneline() to set
SSL_CLIENT_S_DN when client cert is validated.
The manpage for X509_NAME_oneline() says:
The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.
Besides X509_NAME_oneline() function being deprecated, until fairly recently, there was a security issue with the function, too.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176
The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.
github: closes #63, closes #83
x-ref:
"support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DN"
https://redmine.lighttpd.net/issues/2693
https://github.com/lighttpd/lighttpd1.4/pull/63
https://github.com/lighttpd/lighttpd1.4/pull/83
| src/mod_openssl.c | diffblobblamehistory |