[Issues] [mod_gnutls 0000085]: Client verify X.509 authentication doesn't work

Mantis Bug Tracker issues at outoforder.cc
Mon Jul 5 03:19:34 EDT 2010 

The following issue has been CLOSED 
====================================================================== 
http://issues.outoforder.cc/view.php?id=85 
====================================================================== 
Reported By:                szollosi
Assigned To:                nmav
====================================================================== 
Project:                    mod_gnutls
Issue ID:                   85
Category:                   Apache Integration
Reproducibility:            always
Severity:                   block
Priority:                   normal
Status:                     closed
Apache Version:             2.2.3 
Resolution:                 no change required
Fixed in Version:           
====================================================================== 
Date Submitted:             2008-04-15 13:39 EDT
Last Modified:              2010-07-05 03:19 EDT
====================================================================== 
Summary:                    Client verify X.509 authentication doesn't work
Description: 
Client verify X.509 authentication doesn't work. my virtualhost's gnutls
settings:

        GnuTLSEnable on
        GnuTLSPriorities NORMAL
        GNUTLSExportCertificates on
        GnuTLSCertificateFile /etc/apache2/ssl/server.crt
        GnuTLSKeyFile /etc/apache2/ssl/server.key
        GnuTLSClientVerify require
        GnuTLSClientCAFile /etc/apache2/ssl/cacert.pem

====================================================================== 

---------------------------------------------------------------------- 
 (0000109) nmav (manager) - 2008-04-18 01:30
 http://issues.outoforder.cc/view.php?id=85#c109 
---------------------------------------------------------------------- 
Well saying doesn't work, it does not help me in any way. I can reply, it
works for me. What is it that it makes you think it does work? Do you get
any error messages? What happens to the client? 

---------------------------------------------------------------------- 
 (0000110) nmav (manager) - 2008-04-18 01:31
 http://issues.outoforder.cc/view.php?id=85#c110 
---------------------------------------------------------------------- 
More feedback is required. Client authentication works in the test servers. 

---------------------------------------------------------------------- 
 (0000114) szollosi (reporter) - 2008-04-18 08:50
 http://issues.outoforder.cc/view.php?id=85#c114 
---------------------------------------------------------------------- 
sorry. OK.
i examine the situation, i found 2 problem.
the first problem is: i have more client certificate in the certificate
manager. with mod_ssl, the client sends the right certificate to the
server, with mod_gnutls the client sends bad certificate, but when i
select the right certificate manually the authentication was done right.
the client is iceweasel (firefox) 2.0.0.12.
the second problem is really a feature request: with mod_ssl i can use
SSLUserName SSL_CLIENT_S_DN_CN settings, so i can use
$_SERVER['REMOTE_USER'] variable in my php authentication code.
thanks! 

---------------------------------------------------------------------- 
 (0000125) nmav (manager) - 2008-10-16 14:33
 http://issues.outoforder.cc/view.php?id=85#c125 
---------------------------------------------------------------------- 
For your last feature request. the X.509 protocol is quite complex in name
handling and the only reliable output is SSL_CLIENT_S_DN which contains
the whole Distinguished name. The CN in a certificate might be empty. If
you just want the CN you can extract it from the SSL_CLIENT_S_DN variable. 

---------------------------------------------------------------------- 
 (0000126) nmav (manager) - 2008-10-16 14:34
 http://issues.outoforder.cc/view.php?id=85#c126 
---------------------------------------------------------------------- 
Most probably a client issue. 

Issue History 
Date Modified    Username       Field                    Change               
====================================================================== 
2008-04-15 13:39 szollosi       New Issue                                    
2008-04-15 13:39 szollosi       Apache Version            => 2.2.3           
2008-04-18 01:30 nmav           Note Added: 0000109                          
2008-04-18 01:31 nmav           Note Added: 0000110                          
2008-04-18 01:31 nmav           Status                   new => feedback     
2008-04-18 08:50 szollosi       Note Added: 0000114                          
2008-10-16 14:33 nmav           Note Added: 0000125                          
2008-10-16 14:34 nmav           Status                   feedback => resolved
2008-10-16 14:34 nmav           Resolution               open => no change
required
2008-10-16 14:34 nmav           Assigned To               => nmav            
2008-10-16 14:34 nmav           Note Added: 0000126                          
2010-07-05 03:19 nmav           Status                   resolved => closed  
======================================================================

More information about the Issues mailing list