[Mod_nss-list] Problem 2
Rob Crittenden
rcritten at redhat.com
Tue May 10 19:15:39 UTC 2011
Jennings, Jared L CTR USAF AFMC 46 SK/CCI wrote:
>> I agree that the code looking for / is a bug. mod_nss is a derivation
>> from the mod_ssl code, this must be a piece I missed when implementing
>> this originally. I'll take a look.
>
> If you're going to detect spoof attempts solely by the username (and
> that's all you have in this function), there needs to be some way of
> separating a username that looks FakeBasicAuthed from a username that
> doesn't look that way, quickly, easily, and without messing with it too
> much (any smart processing you do may have a flaw, which adversarial
> users could try to exploit).
>
> So it's true that the / is an unintended holdover from mod_ssl -- but
> it's also true that / is generally a weird character to start a
> manually-typeable user name with, and that checking the first character
> of the username is one of the simplest, dumbest things you can do.
>
> All told, I've come around to thinking it's a good idea to make mod_nss
> FakeBasicAuth usernames start with /, and to check for that when
> spoof-checking - you just need to have the whole DN after the slash, not
> only the CN, because otherwise two certs from different issuers but
> having the same CN would lead to the same username, leading to
> unintended consequences in the authorization stage.
I've come to the same conclusion. sslconn->client_dn seems to only be
used for this purpose so I can do what I wish with it. Sticking in an
extra character won't hurt anything.
regards
rob
More information about the Mod_nss-list
mailing list