[Issues] [mod_gnutls 0000086]: SSLUserName settings and Chained Client Certificates

Mantis Bug Tracker issues at outoforder.cc
Wed Jul 1 09:26:29 EDT 2009 

A NOTE has been added to this issue. 
====================================================================== 
http://issues.outoforder.cc/view.php?id=86 
====================================================================== 
Reported By:                szollosi
Assigned To:                
====================================================================== 
Project:                    mod_gnutls
Issue ID:                   86
Category:                   Feature Request
Reproducibility:            N/A
Severity:                   block
Priority:                   normal
Status:                     new
Apache Version:             2.2.3 
====================================================================== 
Date Submitted:             2008-04-18 09:16 EDT
Last Modified:              2009-07-01 09:26 EDT
====================================================================== 
Summary:                    SSLUserName settings and Chained Client Certificates
Description: 
i use SSLUserName settings with mod_ssl. i would like to use something
similar with mod_gnutls.
sometimes i use "Chained Client Certificates" but mod_gnutls told me it is
not supported:
"[Fri Apr 18 14:37:24 2008] [info] [client 10.104.2.60] GnuTLS: Failed to
Verify Peer: Chained Client Certificates are not supported."
(it was the bad certificate from issue#85)
i would like to use this if possible.
thanks!

====================================================================== 

---------------------------------------------------------------------- 
 (0000116) nmav (manager) - 2008-05-06 15:59
 http://issues.outoforder.cc/view.php?id=86#c116 
---------------------------------------------------------------------- 
I like these features and they are not too difficult to implement. I will
keep them in my todo list, but I'm quite busy, so don't expect anything
soon. Patches of course are always welcome. 

---------------------------------------------------------------------- 
 (0000150) jmdesp (reporter) - 2009-06-30 13:32
 http://issues.outoforder.cc/view.php?id=86#c150 
---------------------------------------------------------------------- 
Hi, I'm going to provide a _minimal_ patch for the "Chained Client
Certificates" issue.

That _minimal_ patch will be the one that I can make work with the
smallest effort. Basically the idea is that if they are several x509
certificate, we'll look for the first one that's not a CA, and we'll
assume the user cert is that one.

Yes, that's limited, but with a small change, it'll stop chained client
certificate from systematically returning an error. The server will have
to know all intermediate certificates even when the client can provide
them, but for client certificates it's much less annoying than it is in
other case.

This said the SSLUserName issue is something completely different, and
should have a separate bug. 

---------------------------------------------------------------------- 
 (0000151) nmav (manager) - 2009-06-30 13:52
 http://issues.outoforder.cc/view.php?id=86#c151 
---------------------------------------------------------------------- 
In TLS you are assured that the first certificate in the client certificate
list is the actual client certificate. If I remember correct, all you need
to do is also use the additional certficates in the list  for certificate
verification. 

---------------------------------------------------------------------- 
 (0000163) jmdesp (reporter) - 2009-07-01 09:26
 http://issues.outoforder.cc/view.php?id=86#c163 
---------------------------------------------------------------------- 
I see. If the whole list is guaranteed to be ordered, simply replacing the
call to gnutls_x509_crt_verify by a call to gnutls_x509_crt_list_verify,
after parsing them all, would work.

If not, it gets more complex, because gnutls_x509_crt_verify that does not
require the cert to be ordered only receives a list of *trusted* ca certs
as input.
So I think it's required to order them, and then call
gnutls_x509_crt_list_verify. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2008-04-18 09:16 szollosi       New Issue                                    
2008-04-18 09:16 szollosi       Apache Version            => 2.2.3           
2008-05-06 15:58 nmav           Issue Monitored: nmav                        
2008-05-06 15:59 nmav           Note Added: 0000116                          
2009-06-30 13:32 jmdesp         Note Added: 0000150                          
2009-06-30 13:52 nmav           Note Added: 0000151                          
2009-07-01 09:26 jmdesp         Note Added: 0000163                          
======================================================================

More information about the Issues mailing list