Welcome! Log In Create A New Profile

Re: [PATCH] Mail: added support for SSL client certificate

Forum List Message List New Topic Print View

Christian Felsing

April 27, 2014 09:06AM

Registered: 10 years ago
Posts: 4

Hi,

Am 27.04.2014 12:53, schrieb Filipe Da Silva:
> I'm not sure about this, as this buffer already has an oversized allocation:

....I hope so...

> Same about the certificate subject.
> C strings are zero terminated, whatever its contains : UTF-8 or not.

if all used libraries do so, this should be ok.

> Please try this patch :
> It will directly check if there is any buffer overflow.

I will try that, but reproduction is difficult, I got sometimes that
Signal 11 with Thunderbird as client and Dovecot 2.1.12 as IMAP backend,
where Nginx talks via port 143 with Dovecot.

May Perl auth script able to generate such effects?

best regards
Christian

---My Nginx
nginx-1.7.0 built on Debian 7.4 - 64 bit (latest updates)

../configure --with-file-aio --with-ipv6
--with-openssl=../openssl-1.0.1g --with-openssl-opt="fips shared -g
-march=native -DOPENSSL_NO_HEARTBEATS" --with-mail
--with-mail_ssl_module --with-http_ssl_module
--http-log-path=/var/log/nginx/access.log
--error-log-path=/var/log/nginx/error.log
--pid-path=/var/run/nginx/nginx.pid
--lock-path=/var/lock/nginx/nginx.lock --with-http_perl_module

Perl script for auth (/usr/local/nginx/perl/lib/mailauth.pm):

package mailauth;

# from
# http://wiki.nginx.org/ImapAuthenticateWithEmbeddedPerlScript

use strict;

use nginx;

my $DEBUG=1;

our $auth_ok;
our $mail_server_ip={};
our $protocol_ports={};
$mail_server_ip->{'mailhost01'}="192.168.42.1";
$protocol_ports->{'pop3'}=110;
$protocol_ports->{'imap'}=143;

sub handler {
my $r = shift;

# security depends only on Nginx certificate verification
# configuration. You may add additional verification here.
# If Nginx comes to here, it already verified users
# client certificate.
# YOU MUST SET ssl_verify_client on; OTHERWISE WHOLE
# WORLD CAN ACCESS ALL YOUR MAILS.
my @subject=split(/\//,$r->header_in("Auth-Subject-DN"));

my $emailAddress=undef;
foreach (@subject) {
if ($_=~/^emailAddress=(\S+)/) { $emailAddress="$1"; }
}
# Care about broken client certs
if (!defined($emailAddress)) { return DECLINED; }

$auth_ok=1; # Think twice about your Nginx config
if ($auth_ok==1){
$r->header_out("Auth-Status", "OK") ;
$r->header_out("Auth-Server", $mail_server_ip->{'mailhost01'});
$r->header_out("Auth-Port",
$protocol_ports->{$r->header_in("Auth-Protocol")});
$r->header_out("Auth-User", "$emailAddress");
$r->header_out("Auth-Pass",
"Some arbitrary password where Dovecot does not care about");
# Nginx: Talk to me
if ($DEBUG) {
$r->log_error(0, "emailAddress: $emailAddress");
$r->log_error(0, "Auth-Server: " .
$mail_server_ip->{'mailhost01'});
$r->log_error(0, "Auth-Protocol: " .
$r->header_in("Auth-Protocol"));
$r->log_error(0, "Auth-Port: " .
$protocol_ports->{$r->header_in("Auth-Protocol")});
$r->log_error(0, "Auth-User: " . "$emailAddress");
}
} else {
$r->header_out("Auth-Status", "Invalid login or password") ;
}

$r->send_http_header("text/html");

return OK;
}

1;
__END__

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH] Mail: added support for SSL client certificate	Christian Felsing	843	April 27, 2014 03:56AM
Re: [PATCH] Mail: added support for SSL client certificate	Filipe Da Silva	276	April 27, 2014 06:56AM
Re: [PATCH] Mail: added support for SSL client certificate	Christian Felsing	356	April 27, 2014 09:06AM
Re: [PATCH] Mail: added support for SSL client certificate	Christian Felsing	329	April 27, 2014 09:24AM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 159

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018