[Issues] [mod_gnutls 0000093]: GnuTLSClientVerify require is ignored.

Mantis Bug Tracker issues at outoforder.cc
Mon Sep 14 00:41:51 EDT 2009


A NOTE has been added to this issue. 
====================================================================== 
http://issues.outoforder.cc/view.php?id=93 
====================================================================== 
Reported By:                AlainKnaff
Assigned To:                nmav
====================================================================== 
Project:                    mod_gnutls
Issue ID:                   93
Category:                   Other
Reproducibility:            always
Severity:                   major
Priority:                   normal
Status:                     feedback
Apache Version:             2.2.8-1ubuntu0.3 
====================================================================== 
Date Submitted:             2009-01-02 10:40 EST
Last Modified:              2009-09-14 00:41 EDT
====================================================================== 
Summary:                    GnuTLSClientVerify require is ignored.
Description: 
Despite having set "GnuTLSClientVerify require" in my Apache config, the
server doesn't request client certificates from the browser, but lets it
in without certificates.

How to reproduce:
-----------------
1. Add the following to SSL config, and reload apache:

        GnuTLSExportCertificates on
        GnuTLSClientCAFile /etc/apache2/ssl.crt/cacert.org-class3.crt
        <Directory /home/aknaff/public_html/gnutls>
                GnuTLSClientVerify require
        </Directory>

2. Put the following script into
/home/aknaff/public_html/gnutls/test.cgi:

#!/bin/sh

echo Content-Type: text/plain
echo
printenv

3. Visit the test.cgi page, with a browser containing no client
certifcates, then with a browser which does contain some client
certificates.

What is expected:
-----------------
SSL_CLIENT_CERT should be shown.
SSL_CLIENT_VERIFY should be set to SUCCESS (if certificate present) or
access should be denied altogether (if none is present).

What happens really:
--------------------
No SSL_CLIENT_CERT shown (but SSL_SERVER_CERT does show up, proving that
the GnuTLSExportCertificates directive works)
SSL_CLIENT_VERIFY=NONE, even though this should be impossible according to
the online doc when GnuTLSClientVerify is set to "require"

====================================================================== 

---------------------------------------------------------------------- 
 (0000140) AlainKnaff (reporter) - 2009-01-03 11:19
 http://issues.outoforder.cc/view.php?id=93#c140 
---------------------------------------------------------------------- 
Found what was going on: after doing rehandshake , msg_cert_verify was not
called again to populate the environment. So, even though the certificate
was requested and verified, the CGI script had no way of knowing.

The attached patch fixes this issue.

Moreover, it also fixes the inverse issue, where a rehandshake was done,
even if the client had _already_ supplied a certificate, resulting in an
excessive number of browser popups to chose a certificate. 

---------------------------------------------------------------------- 
 (0000159) nmav (manager) - 2009-06-30 14:42
 http://issues.outoforder.cc/view.php?id=93#c159 
---------------------------------------------------------------------- 
I have applied you patch in the latest svn trunk. I'd appreciate if you
could check everything is ok. 

---------------------------------------------------------------------- 
 (0000160) AlainKnaff (reporter) - 2009-06-30 16:55
 http://issues.outoforder.cc/view.php?id=93#c160 
---------------------------------------------------------------------- 
I tried to compile it, but I get:

Makefile.am:1: option `dist-bzip2' not recognized 

---------------------------------------------------------------------- 
 (0000161) nmav (manager) - 2009-06-30 16:57
 http://issues.outoforder.cc/view.php?id=93#c161 
---------------------------------------------------------------------- 
You might need to run:
autoreconf
./configure

before make. If you already did that I might have missed something, so let
me know. 

---------------------------------------------------------------------- 
 (0000179) rimy (reporter) - 2009-09-09 08:24
 http://issues.outoforder.cc/view.php?id=93#c179 
---------------------------------------------------------------------- 
Hi,

I've got this problem in 0.5.5, does this patch can be applied on that
version?

ubuntu server 9.04 x64 + apache 2.2.11 

---------------------------------------------------------------------- 
 (0000180) rimy (reporter) - 2009-09-10 02:41
 http://issues.outoforder.cc/view.php?id=93#c180 
---------------------------------------------------------------------- 
I've modified 0.5.5 like the patch and it doesn't work for me, also the
latest svn version. 

---------------------------------------------------------------------- 
 (0000182) nmav (manager) - 2009-09-13 04:47
 http://issues.outoforder.cc/view.php?id=93#c182 
---------------------------------------------------------------------- 
Can you describe the issue you have? 

---------------------------------------------------------------------- 
 (0000187) rimy (reporter) - 2009-09-14 00:41
 http://issues.outoforder.cc/view.php?id=93#c187 
---------------------------------------------------------------------- 
I have two https site(site1 and site2) using port 443 in same ip.

site1 just using server certificate, it works fine almost one month, and
few days ago, I configured site2(provide an api) with client certificate
verification, it also works fine under firefox, bug under IE there are two
problem:
the one is same as this issue, mod_gnutls ignored my
>GnuTLSClientVerify require
directive;
the other one is it can't correctlly recognize the server certificate,
when I browse site2 in IE, it shows me the certificate of site1.

You can use phpinfo(), print_r($_SERVER) or echo
$_SERVER["SSL_CLIENT_VERIFY"] the value of variable is "NONE"

Then I tried apply client-cert.patch to 0.5.5, the result is 0.5.5.patch,
but it seems doesn't work, I also tried the latest svn version doesn't
work too.

And it seems curl extension of php also can't correctlly connected to
site2, but I have no enough time to do a strict test, so I'm not sure it
was caused this bug.

Now I temporarily use https with http basic authorization to make sure the
safety of site2. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2009-01-02 10:40 AlainKnaff     New Issue                                    
2009-01-02 10:40 AlainKnaff     Apache Version            => 2.2.8-1ubuntu0.3
2009-01-03 11:16 AlainKnaff     File Added: client-cert.patch                   

2009-01-03 11:19 AlainKnaff     Note Added: 0000140                          
2009-06-30 14:15 nmav           Issue Monitored: nmav                        
2009-06-30 14:42 nmav           Note Added: 0000159                          
2009-06-30 14:42 nmav           Status                   new => resolved     
2009-06-30 14:42 nmav           Fixed in Version          => -TRUNK          
2009-06-30 14:42 nmav           Resolution               open => fixed       
2009-06-30 14:42 nmav           Assigned To               => nmav            
2009-06-30 16:55 AlainKnaff     Note Added: 0000160                          
2009-06-30 16:55 AlainKnaff     Status                   resolved => feedback
2009-06-30 16:55 AlainKnaff     Resolution               fixed => reopened   
2009-06-30 16:57 nmav           Note Added: 0000161                          
2009-09-09 08:24 rimy           Note Added: 0000179                          
2009-09-10 02:41 rimy           File Added: 0.5.5.patch                      
2009-09-10 02:41 rimy           Note Added: 0000180                          
2009-09-13 04:47 nmav           Note Added: 0000182                          
2009-09-14 00:41 rimy           Note Added: 0000187                          
======================================================================




More information about the Issues mailing list