| Message ID | 20210312004842.30697-1-john@szakmeister.net (mailing list archive) |
|---|---|
| Headers | show |
| Series | http: store credential when PKI auth is used | expand |
On Thu, Mar 11, 2021 at 07:48:40PM -0500, John Szakmeister wrote: > Here's my second attempt at getting the certificate password into the credential > store. I tested from a working PKI setup and found curl--at least reasonable > recent versions of it--return CURLE_SSL_CERTPROBLEM: > > CURLE_SSL_CERTPROBLEM (58) > problem with the local client certificate. > > It appears there could be another possible error from curl: > > CURLE_SSL_CONNECT_ERROR (35) > A problem occurred somewhere in the SSL/TLS handshake. You > really want the error buffer and read the message there as it > pinpoints the problem slightly more. Could be certificates (file > formats, paths, permissions), passwords, and others. > > This seems less likely to be a bad client password scenario, so I did not look > for this particular error to reject it. > > I also added one other small patch to remove the check of a non-empty password > before calling credential_store() for proxy_auth, as credential_store() already > checks for a non-empty password and gracefully handles it when it doesn't. Thanks. Both patches look good to me. I wondered briefly if we needed to worry about old versions of curl missing CURLE_SSL_CERTPROBLEM. But it seems to have shown up in ~2002, so I think we are fine to assume it's there. It would be nice if we had some tests here, but we currently do not cover any of the ssl-cert stuff in the test suite. I suspect adding them would be a big pain to configure and maintain, so I'm OK to leave it off for now. Hopefully you gave it some basic manual testing with your working setup (good password is stored, bad password is rejected). Looking at how we generate the server-side cert for our http tests, we could _probably_ do something similar for a client-side cert, and just configure the server to accept a self-signed certificate. But like I said, I'm OK to leave that for another series (though of course if you want to work on it, that would be very much appreciated). -Peff
On Thu, Mar 11, 2021 at 8:31 PM Jeff King <peff@peff.net> wrote: [snip] > Thanks. Both patches look good to me. I wondered briefly if we needed to > worry about old versions of curl missing CURLE_SSL_CERTPROBLEM. But it > seems to have shown up in ~2002, so I think we are fine to assume it's > there. > > It would be nice if we had some tests here, but we currently do not > cover any of the ssl-cert stuff in the test suite. I suspect adding them > would be a big pain to configure and maintain, so I'm OK to leave it off > for now. Hopefully you gave it some basic manual testing with your > working setup (good password is stored, bad password is rejected). I did do some manual testing in an environment at work where they have this set up. Unfortunately, the way I went about this was not optimal. I'll work the issue differently in the future, so I don't have that kind of translation issue again. > Looking at how we generate the server-side cert for our http tests, we > could _probably_ do something similar for a client-side cert, and just > configure the server to accept a self-signed certificate. But like I > said, I'm OK to leave that for another series (though of course if you > want to work on it, that would be very much appreciated). I looked at things a little bit, but it was too much to take on right now. I could probably get something together to help make it happen. I've been down that road before, so I know it can be involved, but it would be nice to have tests. I'm not signing up just yet for that, but when a rainy weekend hits, I'll see about taking a stab at it. -John
Here's my second attempt at getting the certificate password into the credential store. I tested from a working PKI setup and found curl--at least reasonable recent versions of it--return CURLE_SSL_CERTPROBLEM: CURLE_SSL_CERTPROBLEM (58) problem with the local client certificate. It appears there could be another possible error from curl: CURLE_SSL_CONNECT_ERROR (35) A problem occurred somewhere in the SSL/TLS handshake. You really want the error buffer and read the message there as it pinpoints the problem slightly more. Could be certificates (file formats, paths, permissions), passwords, and others. This seems less likely to be a bad client password scenario, so I did not look for this particular error to reject it. I also added one other small patch to remove the check of a non-empty password before calling credential_store() for proxy_auth, as credential_store() already checks for a non-empty password and gracefully handles it when it doesn't. -John John Szakmeister (2): http: store credential when PKI auth is used http: drop the check for an empty proxy password before approving http.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-)