[Issues] [mod_gnutls 0000093]: GnuTLSClientVerify require is ignored.
Mantis Bug Tracker
issues at outoforder.cc
Thu Sep 10 02:41:37 EDT 2009
A NOTE has been added to this issue.
======================================================================
http://issues.outoforder.cc/view.php?id=93
======================================================================
Reported By: AlainKnaff
Assigned To: nmav
======================================================================
Project: mod_gnutls
Issue ID: 93
Category: Other
Reproducibility: always
Severity: major
Priority: normal
Status: feedback
Apache Version: 2.2.8-1ubuntu0.3
======================================================================
Date Submitted: 2009-01-02 10:40 EST
Last Modified: 2009-09-10 02:41 EDT
======================================================================
Summary: GnuTLSClientVerify require is ignored.
Description:
Despite having set "GnuTLSClientVerify require" in my Apache config, the
server doesn't request client certificates from the browser, but lets it
in without certificates.
How to reproduce:
-----------------
1. Add the following to SSL config, and reload apache:
GnuTLSExportCertificates on
GnuTLSClientCAFile /etc/apache2/ssl.crt/cacert.org-class3.crt
<Directory /home/aknaff/public_html/gnutls>
GnuTLSClientVerify require
</Directory>
2. Put the following script into
/home/aknaff/public_html/gnutls/test.cgi:
#!/bin/sh
echo Content-Type: text/plain
echo
printenv
3. Visit the test.cgi page, with a browser containing no client
certifcates, then with a browser which does contain some client
certificates.
What is expected:
-----------------
SSL_CLIENT_CERT should be shown.
SSL_CLIENT_VERIFY should be set to SUCCESS (if certificate present) or
access should be denied altogether (if none is present).
What happens really:
--------------------
No SSL_CLIENT_CERT shown (but SSL_SERVER_CERT does show up, proving that
the GnuTLSExportCertificates directive works)
SSL_CLIENT_VERIFY=NONE, even though this should be impossible according to
the online doc when GnuTLSClientVerify is set to "require"
======================================================================
----------------------------------------------------------------------
(0000140) AlainKnaff (reporter) - 2009-01-03 11:19
http://issues.outoforder.cc/view.php?id=93#c140
----------------------------------------------------------------------
Found what was going on: after doing rehandshake , msg_cert_verify was not
called again to populate the environment. So, even though the certificate
was requested and verified, the CGI script had no way of knowing.
The attached patch fixes this issue.
Moreover, it also fixes the inverse issue, where a rehandshake was done,
even if the client had _already_ supplied a certificate, resulting in an
excessive number of browser popups to chose a certificate.
----------------------------------------------------------------------
(0000159) nmav (manager) - 2009-06-30 14:42
http://issues.outoforder.cc/view.php?id=93#c159
----------------------------------------------------------------------
I have applied you patch in the latest svn trunk. I'd appreciate if you
could check everything is ok.
----------------------------------------------------------------------
(0000160) AlainKnaff (reporter) - 2009-06-30 16:55
http://issues.outoforder.cc/view.php?id=93#c160
----------------------------------------------------------------------
I tried to compile it, but I get:
Makefile.am:1: option `dist-bzip2' not recognized
----------------------------------------------------------------------
(0000161) nmav (manager) - 2009-06-30 16:57
http://issues.outoforder.cc/view.php?id=93#c161
----------------------------------------------------------------------
You might need to run:
autoreconf
./configure
before make. If you already did that I might have missed something, so let
me know.
----------------------------------------------------------------------
(0000179) rimy (reporter) - 2009-09-09 08:24
http://issues.outoforder.cc/view.php?id=93#c179
----------------------------------------------------------------------
Hi,
I've got this problem in 0.5.5, does this patch can be applied on that
version?
ubuntu server 9.04 x64 + apache 2.2.11
----------------------------------------------------------------------
(0000180) rimy (reporter) - 2009-09-10 02:41
http://issues.outoforder.cc/view.php?id=93#c180
----------------------------------------------------------------------
I've modified 0.5.5 like the patch and it doesn't work for me, also the
latest svn version.
Issue History
Date Modified Username Field Change
======================================================================
2009-01-02 10:40 AlainKnaff New Issue
2009-01-02 10:40 AlainKnaff Apache Version => 2.2.8-1ubuntu0.3
2009-01-03 11:16 AlainKnaff File Added: client-cert.patch
2009-01-03 11:19 AlainKnaff Note Added: 0000140
2009-06-30 14:15 nmav Issue Monitored: nmav
2009-06-30 14:42 nmav Note Added: 0000159
2009-06-30 14:42 nmav Status new => resolved
2009-06-30 14:42 nmav Fixed in Version => -TRUNK
2009-06-30 14:42 nmav Resolution open => fixed
2009-06-30 14:42 nmav Assigned To => nmav
2009-06-30 16:55 AlainKnaff Note Added: 0000160
2009-06-30 16:55 AlainKnaff Status resolved => feedback
2009-06-30 16:55 AlainKnaff Resolution fixed => reopened
2009-06-30 16:57 nmav Note Added: 0000161
2009-09-09 08:24 rimy Note Added: 0000179
2009-09-10 02:41 rimy File Added: 0.5.5.patch
2009-09-10 02:41 rimy Note Added: 0000180
======================================================================
More information about the Issues
mailing list