[Issues] [mod_gnutls 0000085]: Client verify X.509 authentication doesn't work
Mantis Bug Tracker
issues at outoforder.cc
Thu Oct 16 14:33:18 EDT 2008
A NOTE has been added to this issue.
======================================================================
http://issues.outoforder.cc/view.php?id=85
======================================================================
Reported By: szollosi
Assigned To:
======================================================================
Project: mod_gnutls
Issue ID: 85
Category: Apache Integration
Reproducibility: always
Severity: block
Priority: normal
Status: feedback
Apache Version: 2.2.3
======================================================================
Date Submitted: 2008-04-15 13:39 EDT
Last Modified: 2008-10-16 14:33 EDT
======================================================================
Summary: Client verify X.509 authentication doesn't work
Description:
Client verify X.509 authentication doesn't work. my virtualhost's gnutls
settings:
GnuTLSEnable on
GnuTLSPriorities NORMAL
GNUTLSExportCertificates on
GnuTLSCertificateFile /etc/apache2/ssl/server.crt
GnuTLSKeyFile /etc/apache2/ssl/server.key
GnuTLSClientVerify require
GnuTLSClientCAFile /etc/apache2/ssl/cacert.pem
======================================================================
----------------------------------------------------------------------
(0000109) nmav (manager) - 2008-04-18 01:30
http://issues.outoforder.cc/view.php?id=85#c109
----------------------------------------------------------------------
Well saying doesn't work, it does not help me in any way. I can reply, it
works for me. What is it that it makes you think it does work? Do you get
any error messages? What happens to the client?
----------------------------------------------------------------------
(0000110) nmav (manager) - 2008-04-18 01:31
http://issues.outoforder.cc/view.php?id=85#c110
----------------------------------------------------------------------
More feedback is required. Client authentication works in the test servers.
----------------------------------------------------------------------
(0000114) szollosi (reporter) - 2008-04-18 08:50
http://issues.outoforder.cc/view.php?id=85#c114
----------------------------------------------------------------------
sorry. OK.
i examine the situation, i found 2 problem.
the first problem is: i have more client certificate in the certificate
manager. with mod_ssl, the client sends the right certificate to the
server, with mod_gnutls the client sends bad certificate, but when i
select the right certificate manually the authentication was done right.
the client is iceweasel (firefox) 2.0.0.12.
the second problem is really a feature request: with mod_ssl i can use
SSLUserName SSL_CLIENT_S_DN_CN settings, so i can use
$_SERVER['REMOTE_USER'] variable in my php authentication code.
thanks!
----------------------------------------------------------------------
(0000125) nmav (manager) - 2008-10-16 14:33
http://issues.outoforder.cc/view.php?id=85#c125
----------------------------------------------------------------------
For your last feature request. the X.509 protocol is quite complex in name
handling and the only reliable output is SSL_CLIENT_S_DN which contains
the whole Distinguished name. The CN in a certificate might be empty. If
you just want the CN you can extract it from the SSL_CLIENT_S_DN variable.
Issue History
Date Modified Username Field Change
======================================================================
2008-04-15 13:39 szollosi New Issue
2008-04-15 13:39 szollosi Apache Version => 2.2.3
2008-04-18 01:30 nmav Note Added: 0000109
2008-04-18 01:31 nmav Note Added: 0000110
2008-04-18 01:31 nmav Status new => feedback
2008-04-18 08:50 szollosi Note Added: 0000114
2008-10-16 14:33 nmav Note Added: 0000125
======================================================================
More information about the Issues
mailing list