[Issues] [mod_gnutls 0000093]: GnuTLSClientVerify require is ignored.

Mantis Bug Tracker issues at outoforder.cc
Tue Jun 30 16:57:55 EDT 2009


A NOTE has been added to this issue. 
====================================================================== 
http://issues.outoforder.cc/view.php?id=93 
====================================================================== 
Reported By:                AlainKnaff
Assigned To:                nmav
====================================================================== 
Project:                    mod_gnutls
Issue ID:                   93
Category:                   Other
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     feedback
Apache Version:             2.2.8-1ubuntu0.3 
====================================================================== 
Date Submitted:             2009-01-02 10:40 EST
Last Modified:              2009-06-30 16:57 EDT
====================================================================== 
Summary:                    GnuTLSClientVerify require is ignored.
Description: 
Despite having set "GnuTLSClientVerify require" in my Apache config, the
server doesn't request client certificates from the browser, but lets it
in without certificates.

How to reproduce:
-----------------
1. Add the following to SSL config, and reload apache:

        GnuTLSExportCertificates on
        GnuTLSClientCAFile /etc/apache2/ssl.crt/cacert.org-class3.crt
        <Directory /home/aknaff/public_html/gnutls>
                GnuTLSClientVerify require
        </Directory>

2. Put the following script into
/home/aknaff/public_html/gnutls/test.cgi:

#!/bin/sh

echo Content-Type: text/plain
echo
printenv

3. Visit the test.cgi page, with a browser containing no client
certifcates, then with a browser which does contain some client
certificates.

What is expected:
-----------------
SSL_CLIENT_CERT should be shown.
SSL_CLIENT_VERIFY should be set to SUCCESS (if certificate present) or
access should be denied altogether (if none is present).

What happens really:
--------------------
No SSL_CLIENT_CERT shown (but SSL_SERVER_CERT does show up, proving that
the GnuTLSExportCertificates directive works)
SSL_CLIENT_VERIFY=NONE, even though this should be impossible according to
the online doc when GnuTLSClientVerify is set to "require"

====================================================================== 

---------------------------------------------------------------------- 
 (0000140) AlainKnaff (reporter) - 2009-01-03 11:19
 http://issues.outoforder.cc/view.php?id=93#c140 
---------------------------------------------------------------------- 
Found what was going on: after doing rehandshake , msg_cert_verify was not
called again to populate the environment. So, even though the certificate
was requested and verified, the CGI script had no way of knowing.

The attached patch fixes this issue.

Moreover, it also fixes the inverse issue, where a rehandshake was done,
even if the client had _already_ supplied a certificate, resulting in an
excessive number of browser popups to chose a certificate. 

---------------------------------------------------------------------- 
 (0000159) nmav (manager) - 2009-06-30 14:42
 http://issues.outoforder.cc/view.php?id=93#c159 
---------------------------------------------------------------------- 
I have applied you patch in the latest svn trunk. I'd appreciate if you
could check everything is ok. 

---------------------------------------------------------------------- 
 (0000160) AlainKnaff (reporter) - 2009-06-30 16:55
 http://issues.outoforder.cc/view.php?id=93#c160 
---------------------------------------------------------------------- 
I tried to compile it, but I get:

Makefile.am:1: option `dist-bzip2' not recognized 

---------------------------------------------------------------------- 
 (0000161) nmav (manager) - 2009-06-30 16:57
 http://issues.outoforder.cc/view.php?id=93#c161 
---------------------------------------------------------------------- 
You might need to run:
autoreconf
./configure

before make. If you already did that I might have missed something, so let
me know. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-01-02 10:40 AlainKnaff     New Issue                                    
2009-01-02 10:40 AlainKnaff     Apache Version            => 2.2.8-1ubuntu0.3
2009-01-03 11:16 AlainKnaff     File Added: client-cert.patch                   

2009-01-03 11:19 AlainKnaff     Note Added: 0000140                          
2009-06-30 14:15 nmav           Issue Monitored: nmav                        
2009-06-30 14:42 nmav           Note Added: 0000159                          
2009-06-30 14:42 nmav           Status                   new => resolved     
2009-06-30 14:42 nmav           Fixed in Version          => -TRUNK          
2009-06-30 14:42 nmav           Resolution               open => fixed       
2009-06-30 14:42 nmav           Assigned To               => nmav            
2009-06-30 16:55 AlainKnaff     Note Added: 0000160                          
2009-06-30 16:55 AlainKnaff     Status                   resolved => feedback
2009-06-30 16:55 AlainKnaff     Resolution               fixed => reopened   
2009-06-30 16:57 nmav           Note Added: 0000161                          
======================================================================




More information about the Issues mailing list