[Modules] Cannot get client certificate verification to work

Sander Marechal s.marechal at jejik.com
Tue Jan 13 03:32:54 EST 2009 

I have done some more digging and its weirdness. It looks like
mod_gnutls does not take the VirtualHost directive into account.

Below is again the configuration of my two virtual hosts. The Subversion
server only has a server certificate. The CakePHP virtual host has a
server certtificate (in fact, the same one as the subversion server) and
requires client-side certification.

If the Subversion server is loaded first then neither virtual host will
ask for a client certificate. If the CakePHP host is loaded first then
*both* virtual hosts will ask for client-side certificates.

So, it looks like GnuTLSClientVerify does not take the virtual host into
account in the below configuration.

Bug? Or is something wrong with my configuration?

-- 
Sander Marechal
Lone Wolves Foundation
http://www.jejik.com

Sander Marechal wrote:
> The first one is my Subversion server.
> 
> <VirtualHost *:443>
> 	# SSL using GnuTLS
> 	GnuTLSEnable On
> 	GnuTLSCertificateFile /etc/apache2/ssl/cert.pem
> 	GnuTLSKeyFile /etc/apache2/ssl/key.pem
> 	GnuTLSPriorities PERFORMANCE
> 
> 	ServerName svn.jejik.com
> 
> 	LogLevel warn
> 	ErrorLog /var/log/apache2/error.log
> 	CustomLog /var/log/apache2/access.log combined
> 	ServerSignature On
> 
> 	<Location "/">
> 		# uninteresting Subversion configuration removed
> 	</Location>
> 
> </VirtualHost>
> 
> The second one is a CakePHP website I'm developing:
> 
> <VirtualHost *:443>
>         DocumentRoot /home/sander/projects/odf-shots/trunk/server/www
>         ServerName cakephp.jejik.com
> 
> 	# SSL using GnuTLS
> 	GnuTLSEnable On
> 	GnuTLSPriorities PERFORMANCE
> 	GnuTLSCertificateFile /etc/apache2/ssl/cert.pem
> 	GnuTLSKeyFile /etc/apache2/ssl/key.pem
> 	GnuTLSClientVerify require
> 	GnuTLSClientCAFile /etc/ssl/certs/cacert.org.pem
> 
>         ErrorLog /var/log/apache2/error.log
> 
>         # Possible values include: debug, info, notice, warn, error, crit,
>         # alert, emerg.
>         LogLevel warn
> 
>         CustomLog /var/log/apache2/access.log combined
>         ServerSignature On
> 
> </VirtualHost>
> 
> Note that the domain cakephp.jejik.com isn't in any DNS record. If you
> want to access if for yourself, add "82.95.221.82 cakephp.jejik.com" to
> your /etc/hosts file.

More information about the Modules mailing list