[Issues] [mod_gnutls 0000122]: For some virtualhosts, Modgnutls ignores configured GnuTLSX509CertificateFile
Mantis Bug Tracker
issues at outoforder.cc
Mon Dec 20 13:47:47 EST 2010
A NOTE has been added to this issue.
======================================================================
http://issues.outoforder.cc/view.php?id=122
======================================================================
Reported By: AlainKnaff
Assigned To:
======================================================================
Project: mod_gnutls
Issue ID: 122
Category: Configuration Issue
Reproducibility: always
Severity: major
Priority: high
Status: new
Apache Version: 2.2.11-2ubuntu2.7
======================================================================
Date Submitted: 2010-12-19 17:42 EST
Last Modified: 2010-12-20 13:47 EST
======================================================================
Summary: For some virtualhosts, Modgnutls ignores configured
GnuTLSX509CertificateFile
Description:
For some virtualhosts, Modgnutls ignores configured GnuTLSX509CertificateFile
and uses the certificate for a random other site instead.
I've got a virtual host defined as follows:
<VirtualHost *:443>
GnuTLSEnable on
GnuTLSPriorities NORMAL:%COMPAT
GnuTLSX509CertificateFile ssl.crt/www.alain.knaff.lu.crt
GnuTLSX509KeyFile ssl.key/server2048.key
ServerName www.alain.knaff.lu
ServerAlias knaff.lu alain.knaff.lu
DocumentRoot /home/aknaff/public_html
</VirtualHost>
When accessing it as https://knaff.lu , GnuTLS uses the correct certificate
(i.e. the one in ssl.crt/www.alain.knaff.lu.crt)
When accessing it as https://www.alain.knaff.lu , GnuTLS uses the certificate of
a different virtual host residing on the same server (lll.lu)
Steps to Reproduce:
1. Set up virtual host as above
2. Access it using firefox, using https://www.alain.knaff.lu
3. Watch for "certificate matches a different site" errors.
On my server, this reproduces the error 100% percent of the time. However, I am
unsure why it picks the certificate for lll.lu, rather than the certificate for
one of the many other domains residing on the server.
======================================================================
----------------------------------------------------------------------
(0000237) AlainKnaff (reporter) - 2010-12-20 13:47
http://issues.outoforder.cc/view.php?id=122#c237
----------------------------------------------------------------------
Found an explanation and a solution at
http://jan-krueger.net/development/mod_gnutls-and-startssl-level-1-certificates-the-problem-and-solution
Apparently, when deciding which certificate to use, mod_gnutls completely
ignores the config and instead looks at the certificate's CN to see which one
matches. If it doesn't find a matching certificate, it picks one at random.
Problem is, it only considers CN, but not subjectAltName.
Jan Krüger's patch (see attachment) fixes this by making mod_gnutls consider up
to 4 subjectAltNames (number configurable by a #define)
Issue History
Date Modified Username Field Change
======================================================================
2010-12-19 17:42 AlainKnaff New Issue
2010-12-19 17:42 AlainKnaff File Added: www.alain.knaff.lu.crt
2010-12-20 13:47 AlainKnaff Note Added: 0000237
======================================================================
More information about the Issues
mailing list