[Openvas-devel] openvas-server 2.0.3 doesn't ever try to authenticate user with peer certificate?

Roman Imankulov roman at netangels.ru
Sat Sep 12 16:36:01 CEST 2009


As I can suppose, current openvas-server implementaion has broken
certificate-based authentication (I've tried with version 2.0.3 it
seems that svn trunk has the same behaviour).

I suggest than openvas-server have to perform these steps while
authenticate remote peer with the certificate:

0. Allow GNU TLS library to perform the check of the peer certificate
1. Get the certificate distinguished name (DN) with help
of GNU TLS library 
2. Check out the contents of the file
/var/lib/openvas/users/$username/auth/dname and compare the DN value
obtained from the peer certificate with the one stored in the file.
3. If these two values are matched, assume that user with $username is
sucessfully authenticated

But unfortunately I see that the variable x509_dname in the
`server_thread` function once initialized with the empty string never
ever tries to update its value. However the `check_user` function
performs authentication based on the contents of the x509_dname

I've made a quick and dirty patch which fix this behaviour (in
attachment) and it seems that this one works as expected for me. I want
to note however that this patch provides no error handling and I'm not
sure that this code works as expected in all cases.

Roman Imankulov
roman at netangels.ru
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dn_auth.diff
Type: text/x-patch
Size: 1353 bytes
Desc: not available
URL: <http://lists.wald.intevation.org/pipermail/openvas-devel/attachments/20090912/2c9479cc/attachment.diff>

More information about the Openvas-devel mailing list