starred/mumble-mumble-voip
1
0
Fork 0
mirror of https://github.com/mumble-voip/mumble.git synced 2026-03-03 00:46:56 -05:00
Code Issues 459 Projects Packages Wiki Activity

Registration: handle certificates without Client Auth in EKU #130

New issue
Open
opened 2026-02-20 19:14:41 -05:00 by deekerman · 0 comments
deekerman commented 2026-02-20 19:14:41 -05:00
Owner
Copy link

Originally created by @mkrautz on GitHub (Dec 15, 2013).

When a server registers with the Mumble public server list's master server, the server uses its certificate as a client certificate.

Some certificates, such as StartCom's Class 1 Server Certificates (the free ones), do not have Client Authentication set in their Extended Key usage.

This causes the registration TLS handshake to fail. The registration server is a Perl script sitting behind mod_perl, so the entity responsible for the handshake is Apache.

Modifying Apache to fit our use-case seems to be a big maintenance burden.

Perhaps we should detect whether the Client Auth EKU is present in the server's certificate, and if that's the case, we could generate an ephemeral "container" X.509 certificate, containing the server's real certificate chain in extension (or similar mechansim).

This certficiate would be generated each time a registration happens.

Suggestions welcomed.

Originally created by @mkrautz on GitHub (Dec 15, 2013). When a server registers with the Mumble public server list's master server, the server uses its certificate as a client certificate. Some certificates, such as StartCom's Class 1 Server Certificates (the free ones), do not have Client Authentication set in their Extended Key usage. This causes the registration TLS handshake to fail. The registration server is a Perl script sitting behind mod_perl, so the entity responsible for the handshake is Apache. Modifying Apache to fit our use-case seems to be a big maintenance burden. Perhaps we should detect whether the Client Auth EKU is present in the server's certificate, and if that's the case, we could generate an ephemeral "container" X.509 certificate, containing the server's real certificate chain in extension (or similar mechansim). This certficiate would be generated each time a registration happens. Suggestions welcomed.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
weblate-translation-update
1.6.x
1.5.x
backport/1.5.x/pr-7080
backport/1.5.x/pr-6875
backport/1.5.x/pr-6879
backport/1.5.x/pr-6859
test-ci-win-fail
backport/1.5.x/pr-6789
backport/1.5.x/pr-6841
backport/1.5.x/pr-6832
backport/1.5.x/pr-6825
backport/1.5.x/pr-6809
backport/1.5.x/pr-6790
backport/1.5.x/pr-6777
backport/1.5.x/pr-6747
backport/1.5.x/pr-6775
backport/1.5.x/pr-6748
backport/1.5.x/pr-6769
backport/1.5.x/pr-6750
backport/1.5.x/pr-6744
backport/1.5.x/pr-6742
backport/1.5.x/pr-6728
backport/1.5.x/pr-6723
backport/1.5.x/pr-6700
backport/1.5.x/pr-6702
backport/1.5.x/pr-6703
backport/1.5.x/pr-6694
appveyor-fxc-dll-symbol-workaround
1.4.x
v1.6.870
v1.5.857
v1.5.735
v1.5.634
v1.5.629
v1.5.613
v1.5.517
v1.4.287
v1.4.274
v1.4.230
1.4.0-release-candidate-01
1.4.0-development-snapshot-006
1.4.0-development-snapshot-005
1.4.0-development-snapshot-004
1.4.0-development-snapshot-003
1.4.0-development-snapshot-002
1.3.4
1.4.0-development-snapshot-001
1.3.3
1.3.2
1.3.1
1.3.1-rc1
1.3.0
1.3.0-rc2
1.3.0-rc1
1.2.20
1.2.19
1.2.18
1.2.17
1.2.16
1.2.15
1.2.14
1.2.13
1.2.12
1.2.11
1.2.10
1.2.9
1.2.8
1.2.7
1.2.6
1.2.5
1.2.4
1.2.4-rc1
1.2.4-beta1
1.2.3
1.2.3-rc3
1.2.3-rc2
1.2.3-rc1
1.2.2
1.2.1
1.2.0
1.2.0beta2
1.2.0beta1
1.1.8
Labels
Clear labels   
GlobalShortcuts

   
Hacktoberfest

   
accessibility

   
acl

   
asio

   
audio

   
bonjour

   
bsd

   
bug

   
build

   
certificate

   
ci

   
client

   
code

   
documentation

   
external-bug

   
feature-request

   
gRPC

   
github

   
good first issue

   
help wanted

   
help-needed

   
ice

   
installer

   
linux

   
macOS

   
needs-ckeck-with-latest-version

   
needs-more-input

   
overlay

   
positional audio

   
priority/P0 - Blocker

   
priority/P1 - Critical

   
priority/P2 - Important

   
priority/P3 - Somewhat important

   
priority/P4 - Low

   
public-server-registration

   
qt

   
recording

   
release-management

   
server

   
stale-no-response

   
stale-support

   
support

   
task

   
test

   
theme

   
translation

   
triage

   
ui

   
windows

   
wontfix

   
x64
No labels
GlobalShortcuts
Hacktoberfest
accessibility
acl
asio
audio
bonjour
bsd
bug
build
certificate
ci
client
code
documentation
external-bug
feature-request
gRPC
github
good first issue
help wanted
help-needed
ice
installer
linux
macOS
needs-ckeck-with-latest-version
needs-more-input
overlay
positional audio
priority/P0 - Blocker
priority/P1 - Critical
priority/P2 - Important
priority/P3 - Somewhat important
priority/P4 - Low
public-server-registration
qt
recording
release-management
server
stale-no-response
stale-support
support
task
test
theme
translation
triage
ui
windows
wontfix
x64
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/mumble-mumble-voip#130
No description provided.