[Modules] Cannot get client certificate verification to work

Mon, 12 Jan 2009 04:47:56 -0800 

Hi all,

I cannot get client certificate verification to work, no matter what I
try. I have two virtual hosts using GnuTLS. The first one is mu
Subversion server.

<VirtualHost *:443>
        # SSL using GnuTLS
        GnuTLSEnable On
        GnuTLSCertificateFile /etc/apache2/ssl/cert.pem
        GnuTLSKeyFile /etc/apache2/ssl/key.pem
        GnuTLSPriorities PERFORMANCE

        ServerName svn.jejik.com

        LogLevel warn
        ErrorLog /var/log/apache2/error.log
        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

        <Location "/">
                # uninteresting Subversion configuration removed
        </Location>

</VirtualHost>

The second one is a CakePHP website I'm developing:

<VirtualHost *:443>
        DocumentRoot /home/sander/projects/odf-shots/trunk/server/www
        ServerName cakephp.jejik.com

        # SSL using GnuTLS
        GnuTLSEnable On
        GnuTLSPriorities PERFORMANCE
        GnuTLSCertificateFile /etc/apache2/ssl/cert.pem
        GnuTLSKeyFile /etc/apache2/ssl/key.pem
        GnuTLSClientVerify require
        GnuTLSClientCAFile /etc/ssl/certs/cacert.org.pem

        ErrorLog /var/log/apache2/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/access.log combined
        ServerSignature On

</VirtualHost>

Note that the domain cakephp.jejik.com isn't in any DNS record. If you
want to access if for yourself, add "82.95.221.82 cakephp.jejik.com" to
your /etc/hosts file.

As you see, for the second virtualhost I have set "GnuTLSClientVerify
require", but my browser never pops up a certificate request and never
sends one. On the server I always get "[SSL_CLIENT_VERIFY] => NONE".

The server certificate and keyfile is a self-signed server certificate
with a wildcard "*.jejik.com". I have a security exception added for
that in my Firefox.

/etc/ssl/certs/cacert.org.pem is the standard pem for verifying CACert
client certificates. I have a CACert client certificate installed in my
browser.

When I access https://cakephp.jejik.com I expect Firefox to popup a
certificate request, or I expect mod_gnutls to deny the connection.
Instead, I can access it just fine over https. No client verification
happens at all.

What's the problem?

-- 
Sander Marechal
Lone Wolves Foundation
http://www.jejik.com
_______________________________________________
Modules mailing list
Modules@lists.outoforder.cc
http://lists.outoforder.cc/mailman/listinfo/modules

Reply via email to