[Issues] [mod_gnutls 0000093]: GnuTLSClientVerify require is ignored.
Mantis Bug Tracker
issues at outoforder.cc
Sat Jan 3 11:19:22 EST 2009
A NOTE has been added to this issue.
======================================================================
http://issues.outoforder.cc/view.php?id=93
======================================================================
Reported By: AlainKnaff
Assigned To:
======================================================================
Project: mod_gnutls
Issue ID: 93
Category: Other
Reproducibility: always
Severity: major
Priority: normal
Status: new
Apache Version: 2.2.8-1ubuntu0.3
======================================================================
Date Submitted: 2009-01-02 10:40 EST
Last Modified: 2009-01-03 11:19 EST
======================================================================
Summary: GnuTLSClientVerify require is ignored.
Description:
Despite having set "GnuTLSClientVerify require" in my Apache config, the
server doesn't request client certificates from the browser, but lets it
in without certificates.
How to reproduce:
-----------------
1. Add the following to SSL config, and reload apache:
GnuTLSExportCertificates on
GnuTLSClientCAFile /etc/apache2/ssl.crt/cacert.org-class3.crt
<Directory /home/aknaff/public_html/gnutls>
GnuTLSClientVerify require
</Directory>
2. Put the following script into
/home/aknaff/public_html/gnutls/test.cgi:
#!/bin/sh
echo Content-Type: text/plain
echo
printenv
3. Visit the test.cgi page, with a browser containing no client
certifcates, then with a browser which does contain some client
certificates.
What is expected:
-----------------
SSL_CLIENT_CERT should be shown.
SSL_CLIENT_VERIFY should be set to SUCCESS (if certificate present) or
access should be denied altogether (if none is present).
What happens really:
--------------------
No SSL_CLIENT_CERT shown (but SSL_SERVER_CERT does show up, proving that
the GnuTLSExportCertificates directive works)
SSL_CLIENT_VERIFY=NONE, even though this should be impossible according to
the online doc when GnuTLSClientVerify is set to "require"
======================================================================
----------------------------------------------------------------------
(0000140) AlainKnaff (reporter) - 2009-01-03 11:19
http://issues.outoforder.cc/view.php?id=93#c140
----------------------------------------------------------------------
Found what was going on: after doing rehandshake , msg_cert_verify was not
called again to populate the environment. So, even though the certificate
was requested and verified, the CGI script had no way of knowing.
The attached patch fixes this issue.
Moreover, it also fixes the inverse issue, where a rehandshake was done,
even if the client had _already_ supplied a certificate, resulting in an
excessive number of browser popups to chose a certificate.
Issue History
Date Modified Username Field Change
======================================================================
2009-01-02 10:40 AlainKnaff New Issue
2009-01-02 10:40 AlainKnaff Apache Version => 2.2.8-1ubuntu0.3
2009-01-03 11:16 AlainKnaff File Added: client-cert.patch
2009-01-03 11:19 AlainKnaff Note Added: 0000140
======================================================================
More information about the Issues
mailing list