[Issues] [mod_gnutls 0000122]: For some virtualhosts, Modgnutls ignores configured GnuTLSX509CertificateFile

Mantis Bug Tracker issues at outoforder.cc
Mon Sep 26 00:15:50 EDT 2011

The following issue has been CLOSED 
Reported By:                AlainKnaff
Assigned To:                dashula
Project:                    mod_gnutls
Issue ID:                   122
Category:                   Configuration Issue
Reproducibility:            always
Severity:                   major
Priority:                   high
Status:                     closed
Target Version:             0.6
Apache Version:             2.2.11-2ubuntu2.7 
Resolution:                 open
Fixed in Version:           
Date Submitted:             2010-12-20 00:42 EET
Last Modified:              2011-09-26 06:15 EET
Summary:                    For some virtualhosts, Modgnutls ignores configured
For some virtualhosts, Modgnutls ignores configured GnuTLSX509CertificateFile
and uses the certificate for a random other site instead.

I've got a virtual host defined as follows:

<VirtualHost *:443>
        GnuTLSEnable on
        GnuTLSPriorities NORMAL:%COMPAT
        GnuTLSX509CertificateFile ssl.crt/www.alain.knaff.lu.crt
        GnuTLSX509KeyFile ssl.key/server2048.key

        ServerName www.alain.knaff.lu
        ServerAlias knaff.lu alain.knaff.lu
        DocumentRoot /home/aknaff/public_html

When accessing it as https://knaff.lu , GnuTLS uses the correct certificate
(i.e. the one in ssl.crt/www.alain.knaff.lu.crt)

When accessing it as https://www.alain.knaff.lu , GnuTLS uses the certificate of
a different virtual host residing on the same server (lll.lu)

Steps to Reproduce: 
1. Set up virtual host as above
2. Access it using firefox, using https://www.alain.knaff.lu
3. Watch for "certificate matches a different site" errors.

On my server, this reproduces the error 100% percent of the time. However, I am
unsure why it picks the certificate for lll.lu, rather than the certificate for
one of the many other domains residing on the server.


 (0000237) AlainKnaff (reporter) - 2010-12-20 20:47
Found an explanation and a solution at

Apparently, when deciding which certificate to use, mod_gnutls completely
ignores the config and instead looks at the certificate's CN to see which one
matches. If it doesn't find a matching certificate, it picks one at random.
Problem is, it only considers CN, but not subjectAltName.

Jan Krüger's patch (see attachment) fixes this by making mod_gnutls consider up
to 4 subjectAltNames (number configurable by a #define) 

 (0000270) dashula (manager) - 2011-07-08 16:26
Expect mod_gnutls 0.6 (due in Aug 2011 hopefully) to include support for
Certificates' Subject Alternative Names. 

 (0000287) dashula (manager) - 2011-09-26 06:15
ServerAlias directives are now being considered.

Please wait for mod_gnutls 0.6 to be released, otherwise please checkout the fix
from the Sourceforge Repository at:

Issue History 
Date Modified    Username       Field                    Change               
2010-12-20 00:42 AlainKnaff     New Issue                                    
2010-12-20 00:42 AlainKnaff     File Added: www.alain.knaff.lu.crt              
2010-12-20 20:47 AlainKnaff     Note Added: 0000237                          
2010-12-20 20:48 AlainKnaff     File Added:
2011-07-08 16:26 dashula        Note Added: 0000270                          
2011-07-08 16:26 dashula        Assigned To               => dashula         
2011-07-08 16:26 dashula        Status                   new => assigned     
2011-07-22 00:11 dashula        Target Version            => 0.6             
2011-09-26 06:15 dashula        Note Added: 0000287                          
2011-09-26 06:15 dashula        Status                   assigned => closed  

More information about the Issues mailing list