[stunnel-users] [Patch] Support multiple X509 client certificates with same CN

Leon Winter winter at bfw-online.de
Mon Mar 10 09:57:23 CET 2014


Hi,

currently stunnel uses the X509_STORE_get_by_subject () API call to
OpenSSL to retrieve the x509 client certificate in the cert_check ()
method (located in verify.c) to gather the client certificate from the
whitelist by the common name (CN) the client presented during the TLS
handshake. It then proceeds to compare both certificates bit by bit.
This all works rather fine until the very moment you have more than one
client certificate with the same CN. The OpenSSL API call will then
return any of the certificates with the provided CN (according to
internal logic). Other implementations using OpenSSL were aware of this
issue and introduced logic to further iterate over the remaining
certificates, retrieving any further with the same CN. See for example
function X509_STORE_CTX_get1_issuer () and its comment:
http://www.opensource.apple.com/source/OpenSSL/OpenSSL-12/openssl/crypto/x509/x509_lu.c

I patched stunnel 4.53 and adapted the patch to upstream version 5.00 to
behave in similar fashion and can report that with these changes stunnel
then also supports multiple client certificates sharing the same CN.
Feel free to adapt indention as my patches aim for minimal changed
lines.

Best regards,
Leon Winter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel4.53.diff
Type: text/x-diff
Size: 1765 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140310/1bb1ea40/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: stunnel5.00.diff
Type: text/x-diff
Size: 1723 bytes
Desc: not available
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140310/1bb1ea40/attachment-0001.diff>


More information about the stunnel-users mailing list