[Modules] Cannot get client certificate verification to work

Sander Marechal s.marechal at jejik.com
Mon Jan 12 07:48:07 EST 2009 

Hi all,

I cannot get client certificate verification to work, no matter what I
try. I have two virtual hosts using GnuTLS. The first one is mu
Subversion server.

<VirtualHost *:443>
	# SSL using GnuTLS
	GnuTLSEnable On
	GnuTLSCertificateFile /etc/apache2/ssl/cert.pem
	GnuTLSKeyFile /etc/apache2/ssl/key.pem
	GnuTLSPriorities PERFORMANCE

	ServerName svn.jejik.com

	LogLevel warn
	ErrorLog /var/log/apache2/error.log
	CustomLog /var/log/apache2/access.log combined
	ServerSignature On

	<Location "/">
		# uninteresting Subversion configuration removed
	</Location>

</VirtualHost>

The second one is a CakePHP website I'm developing:

<VirtualHost *:443>
        DocumentRoot /home/sander/projects/odf-shots/trunk/server/www
        ServerName cakephp.jejik.com

	# SSL using GnuTLS
	GnuTLSEnable On
	GnuTLSPriorities PERFORMANCE
	GnuTLSCertificateFile /etc/apache2/ssl/cert.pem
	GnuTLSKeyFile /etc/apache2/ssl/key.pem
	GnuTLSClientVerify require
	GnuTLSClientCAFile /etc/ssl/certs/cacert.org.pem

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

</VirtualHost>

Note that the domain cakephp.jejik.com isn't in any DNS record. If you
want to access if for yourself, add "82.95.221.82 cakephp.jejik.com" to
your /etc/hosts file.

As you see, for the second virtualhost I have set "GnuTLSClientVerify
require", but my browser never pops up a certificate request and never
sends one. On the server I always get "[SSL_CLIENT_VERIFY] => NONE".

The server certificate and keyfile is a self-signed server certificate
with a wildcard "*.jejik.com". I have a security exception added for
that in my Firefox.

/etc/ssl/certs/cacert.org.pem is the standard pem for verifying CACert
client certificates. I have a CACert client certificate installed in my
browser.

When I access https://cakephp.jejik.com I expect Firefox to popup a
certificate request, or I expect mod_gnutls to deny the connection.
Instead, I can access it just fine over https. No client verification
happens at all.

What's the problem?

-- 
Sander Marechal
Lone Wolves Foundation
http://www.jejik.com

More information about the Modules mailing list