[Modules] client certificate verification does not work

friiz friiz at dunaweb.hu
Thu Mar 6 08:23:38 EST 2008 

Hi!

I could not setup mod_gnutls to verify my client certs,
it allways fails the client cert verification with the installed ca cert

My Ca certs, and client certs works flawlessly with mod_ssl, and gnutls-serv too, only mod_gnutls verification fails

gnutls-serv --http --port 8443 ..x509cafile... --x509keyfile... --x509certfile ...

* connection from ip.ad.re.ss, port 4997
- Given server name[1]: httpssite1
- Ephemeral DH using prime of 1032 bits, secret key of 1016 bits, and peer's public key is 1032 bits. - Certificate type: X.509
 - Got a certificate list of 1 certificates.

 - Certificate[0] info:
 # valid since: Mon May  7 08:01:00 UTC 2007
 # expires at: Mon May  5 08:11:00 UTC 2014

|<2>| ASSERT: mpi.c:588
|<2>| ASSERT: dn.c:1125
|<2>| ASSERT: dn.c:1125

- Peer's certificate is trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-256-CBC
- MAC: SHA1
- Compression: NULL
|<2>| ASSERT: gnutls_buffers.c:360
|<2>| ASSERT: mpi.c:588
|<2>| ASSERT: x509.c:753
|<2>| ASSERT: x509.c:841
|<2>| ASSERT: x509.c:2125

After turning on debug mode, /tmp/gnutls_debug contains:

gnutls: 2.2.2
gnutls: 2.2.2
gnutls: 2.2.2
<2> ASSERT: dn.c:445
<2> ASSERT: dn.c:445
gnutls: 2.2.2
<2> ASSERT: dn.c:445
<2> ASSERT: dn.c:445
<4> REC[a39a70]: Expected Packet[0] Handshake(22) with length: 1
<4> REC[a39a70]: Received Packet[0] Handshake(22) with length: 187
<4> REC[a39a70]: Decrypted Packet[0] Handshake(22) with length: 187
<3> HSK[a39a70]: CLIENT HELLO was received [187 bytes]
<3> HSK[a39a70]: Client's version: 3.1
<2> ASSERT: gnutls_session_pack.c:214
<2> ASSERT: gnutls_session.c:194
<2> ASSERT: gnutls_db.c:255
<2> EXT[a39a70]: Received extension 'SERVER_NAME/0'
<2> EXT[a39a70]: Received extension '(null)/10'
<2> EXT[a39a70]: Received extension '(null)/11'
<2> EXT[a39a70]: Received extension 'SERVER_NAME/0'
<2> EXT[a39a70]: Received extension '(null)/10'
<2> EXT[a39a70]: Received extension '(null)/11'
<3> HSK[a39a70]: Removing ciphersuite: PSK_SHA_ARCFOUR_SHA1
<3> HSK[a39a70]: Removing ciphersuite: PSK_SHA_3DES_EDE_CBC_SHA1
...
<3> HSK[a39a70]: CERTIFICATE was received [891 bytes]
<3> HSK[a39a70]: CLIENT KEY EXCHANGE was received [262 bytes]
<3> HSK[a39a70]: CERTIFICATE VERIFY was received [262 bytes]
<4> REC[a39a70]: Expected Packet[2] Change Cipher Spec(20) with length: 1
<4> REC[a39a70]: Received Packet[2] Change Cipher Spec(20) with length: 1
<4> REC[a39a70]: ChangeCipherSpec Packet was received
<9> INT: PREMASTER SECRET[256]: 78bda1c83d7ba7a9f116dfaabe6510d58c4b07762db5e1c39a0f8f86063057779efcb090075d151623713aaa40449d66313803a5d178787c1cf2c64ff4abaa
<9> INT: CLIENT RANDOM[32]: 00043a40dc1caa123393adb00cb82d304a0eb4d87619aea343f338f5ea324a5d
<9> INT: SERVER RANDOM[32]: 47cfec3eaf5838db880fd612fdfbb665501c8e6523feed0921a7ac7fe39773ac
<9> INT: MASTER SECRET: b2b1f3e2732ac8f260ddeb883d0749ef69f683a598e8ca082f8245a09093f60d40ec59aa20d80b89394965bd28620de7
<9> INT: KEY BLOCK[136]: 124e9162f2dfcc4fd0a8159302cf1ef9192b7d2b136a440be36469efac428058
<9> INT: CLIENT WRITE KEY [32]: de3a292f34e8e323af53c8d0dbfdf2a2c8a2ddc66738bb36c078c75bd6ac5624
<9> INT: SERVER WRITE KEY [32]: 2090a382a37fcefb81db901052a741b867f382bd9c4980c9ea9689f27b60fbb4
<3> HSK[a39a70]: Cipher Suite: DHE_RSA_AES_256_CBC_SHA1
<3> HSK[a39a70]: Initializing internal [read] cipher sessions
<4> REC[a39a70]: Expected Packet[0] Handshake(22) with length: 1
<4> REC[a39a70]: Received Packet[0] Handshake(22) with length: 48
<4> REC[a39a70]: Decrypted Packet[0] Handshake(22) with length: 16
<3> HSK[a39a70]: FINISHED was received [16 bytes]
<3> REC[a39a70]: Sent ChangeCipherSpec
<4> REC[a39a70]: Sending Packet[5] Change Cipher Spec(20) with length: 1
<4> REC[a39a70]: Sent Packet[6] Change Cipher Spec(20) with length: 6
<3> HSK[a39a70]: Cipher Suite: DHE_RSA_AES_256_CBC_SHA1
<3> HSK[a39a70]: Initializing internal [write] cipher sessions
<3> HSK[a39a70]: FINISHED was send [16 bytes]
<4> REC[a39a70]: Sending Packet[0] Handshake(22) with length: 16
<4> REC[a39a70]: Sent Packet[1] Handshake(22) with length: 85
<4> REC[a39a70]: Expected Packet[1] Application Data(23) with length: 8192
<4> REC[a39a70]: Received Packet[1] Application Data(23) with length: 544
<4> REC[a39a70]: Decrypted Packet[1] Application Data(23) with length: 509
<2> ASSERT: dn.c:1125
<2> ASSERT: verify.c:206
<2> ASSERT: verify.c:255
<2> ASSERT: gnutls_srp.c:656
<4> REC[a39a70]: Sending Packet[1] Application Data(23) with length: 278
<4> REC[a39a70]: Sent Packet[2] Application Data(23) with length: 357
...

My config is something like:

<VirtualHost ip.ad.re.ss:443>
        GnuTLSEnable on
        GnuTLSPriorities NORMAL
        ServerName httpssite1:443
        GNUTLSExportCertificates on

#        GnuTLSX509CertificateFile /etc/ssl/server.crt
#       GnuTLSX509KeyFile /etc/ssl/server.key

        GnuTLSCertificateFile /etc/ssl/server.crt
        GnuTLSKeyFile /etc/ssl/private/server.key

        GnuTLSClientCAFile /etc/ssl/ca.crt

#        GnuTLSX509CAFile /etc/ssl/ca.crt

        GnuTLSClientVerify request
        ServerAdmin webmaster at localhost
        DocumentRoot /var/www/site1/

</VirtualHost>

This is 0.5.0, but i tried with 0.4.2.1 too with debian-testing's apache, gnutls, etc.

how to solve?
thanks
friiz

More information about the Modules mailing list