[Issues] [mod_gnutls 0000093]: GnuTLSClientVerify require is ignored.
Mantis Bug Tracker
issues at outoforder.cc
Wed Sep 16 16:06:52 EDT 2009
A NOTE has been added to this issue.
======================================================================
http://issues.outoforder.cc/view.php?id=93
======================================================================
Reported By: AlainKnaff
Assigned To: nmav
======================================================================
Project: mod_gnutls
Issue ID: 93
Category: Other
Reproducibility: always
Severity: major
Priority: normal
Status: feedback
Apache Version: 2.2.8-1ubuntu0.3
======================================================================
Date Submitted: 2009-01-02 10:40 EST
Last Modified: 2009-09-16 16:06 EDT
======================================================================
Summary: GnuTLSClientVerify require is ignored.
Description:
Despite having set "GnuTLSClientVerify require" in my Apache config, the
server doesn't request client certificates from the browser, but lets it
in without certificates.
How to reproduce:
-----------------
1. Add the following to SSL config, and reload apache:
GnuTLSExportCertificates on
GnuTLSClientCAFile /etc/apache2/ssl.crt/cacert.org-class3.crt
<Directory /home/aknaff/public_html/gnutls>
GnuTLSClientVerify require
</Directory>
2. Put the following script into
/home/aknaff/public_html/gnutls/test.cgi:
#!/bin/sh
echo Content-Type: text/plain
echo
printenv
3. Visit the test.cgi page, with a browser containing no client
certifcates, then with a browser which does contain some client
certificates.
What is expected:
-----------------
SSL_CLIENT_CERT should be shown.
SSL_CLIENT_VERIFY should be set to SUCCESS (if certificate present) or
access should be denied altogether (if none is present).
What happens really:
--------------------
No SSL_CLIENT_CERT shown (but SSL_SERVER_CERT does show up, proving that
the GnuTLSExportCertificates directive works)
SSL_CLIENT_VERIFY=NONE, even though this should be impossible according to
the online doc when GnuTLSClientVerify is set to "require"
======================================================================
----------------------------------------------------------------------
(0000140) AlainKnaff (reporter) - 2009-01-03 11:19
http://issues.outoforder.cc/view.php?id=93#c140
----------------------------------------------------------------------
Found what was going on: after doing rehandshake , msg_cert_verify was not
called again to populate the environment. So, even though the certificate
was requested and verified, the CGI script had no way of knowing.
The attached patch fixes this issue.
Moreover, it also fixes the inverse issue, where a rehandshake was done,
even if the client had _already_ supplied a certificate, resulting in an
excessive number of browser popups to chose a certificate.
----------------------------------------------------------------------
(0000159) nmav (manager) - 2009-06-30 14:42
http://issues.outoforder.cc/view.php?id=93#c159
----------------------------------------------------------------------
I have applied you patch in the latest svn trunk. I'd appreciate if you
could check everything is ok.
----------------------------------------------------------------------
(0000160) AlainKnaff (reporter) - 2009-06-30 16:55
http://issues.outoforder.cc/view.php?id=93#c160
----------------------------------------------------------------------
I tried to compile it, but I get:
Makefile.am:1: option `dist-bzip2' not recognized
----------------------------------------------------------------------
(0000161) nmav (manager) - 2009-06-30 16:57
http://issues.outoforder.cc/view.php?id=93#c161
----------------------------------------------------------------------
You might need to run:
autoreconf
./configure
before make. If you already did that I might have missed something, so let
me know.
----------------------------------------------------------------------
(0000179) rimy (reporter) - 2009-09-09 08:24
http://issues.outoforder.cc/view.php?id=93#c179
----------------------------------------------------------------------
Hi,
I've got this problem in 0.5.5, does this patch can be applied on that
version?
ubuntu server 9.04 x64 + apache 2.2.11
----------------------------------------------------------------------
(0000180) rimy (reporter) - 2009-09-10 02:41
http://issues.outoforder.cc/view.php?id=93#c180
----------------------------------------------------------------------
I've modified 0.5.5 like the patch and it doesn't work for me, also the
latest svn version.
----------------------------------------------------------------------
(0000182) nmav (manager) - 2009-09-13 04:47
http://issues.outoforder.cc/view.php?id=93#c182
----------------------------------------------------------------------
Can you describe the issue you have?
----------------------------------------------------------------------
(0000187) rimy (reporter) - 2009-09-14 00:41
http://issues.outoforder.cc/view.php?id=93#c187
----------------------------------------------------------------------
I have two https site(site1 and site2) using port 443 in same ip.
site1 just using server certificate, it works fine almost one month, and
few days ago, I configured site2(provide an api) with client certificate
verification, it also works fine under firefox, bug under IE there are two
problem:
the one is same as this issue, mod_gnutls ignored my
>GnuTLSClientVerify require
directive;
the other one is it can't correctlly recognize the server certificate,
when I browse site2 in IE, it shows me the certificate of site1.
You can use phpinfo(), print_r($_SERVER) or echo
$_SERVER["SSL_CLIENT_VERIFY"] the value of variable is "NONE"
Then I tried apply client-cert.patch to 0.5.5, the result is 0.5.5.patch,
but it seems doesn't work, I also tried the latest svn version doesn't
work too.
And it seems curl extension of php also can't correctlly connected to
site2, but I have no enough time to do a strict test, so I'm not sure it
was caused this bug.
Now I temporarily use https with http basic authorization to make sure the
safety of site2.
----------------------------------------------------------------------
(0000188) nmav (manager) - 2009-09-16 16:06
http://issues.outoforder.cc/view.php?id=93#c188
----------------------------------------------------------------------
Do you use a browser that supports SNI? Please try with Firefox 3.
Otherwise it is an issue of your browser.
Issue History
Date Modified Username Field Change
======================================================================
2009-01-02 10:40 AlainKnaff New Issue
2009-01-02 10:40 AlainKnaff Apache Version => 2.2.8-1ubuntu0.3
2009-01-03 11:16 AlainKnaff File Added: client-cert.patch
2009-01-03 11:19 AlainKnaff Note Added: 0000140
2009-06-30 14:15 nmav Issue Monitored: nmav
2009-06-30 14:42 nmav Note Added: 0000159
2009-06-30 14:42 nmav Status new => resolved
2009-06-30 14:42 nmav Fixed in Version => -TRUNK
2009-06-30 14:42 nmav Resolution open => fixed
2009-06-30 14:42 nmav Assigned To => nmav
2009-06-30 16:55 AlainKnaff Note Added: 0000160
2009-06-30 16:55 AlainKnaff Status resolved => feedback
2009-06-30 16:55 AlainKnaff Resolution fixed => reopened
2009-06-30 16:57 nmav Note Added: 0000161
2009-09-09 08:24 rimy Note Added: 0000179
2009-09-10 02:41 rimy File Added: 0.5.5.patch
2009-09-10 02:41 rimy Note Added: 0000180
2009-09-13 04:47 nmav Note Added: 0000182
2009-09-14 00:41 rimy Note Added: 0000187
2009-09-16 16:06 nmav Note Added: 0000188
======================================================================
More information about the Issues
mailing list