[mod_gnutls-devel] Certificate-based authentication
Marc Ende
marc.ende at ymail.com
Wed May 7 07:45:26 CEST 2014
Hi,
within one of my servers I use certificate based authentication. Everything
works great but without a simple thing:
* If I log in with a certificate which is signed by the ca mentioned in
GnuTLSClientCAFile the access is granted as expected.
* If I log in with a certificate which is NOT signed by the ca mentioned in
GnuTLSClientCAFile the access is also granted (not expected).
The second one was signed by the CA which has signed the certificate of the
webserver himself. I haven't tested this with a certificate which was signed by
someone else. But also in this case I wouldn't be happy with the fact that
everyone with a signed certificate of this (webserver-)CA has access.
May be I've got an issue in my configuration....
My configuration:
GnuTLSEnable on
GnuTLSExportCertificates on
GnuTLSPriorities SECURE256:-CIPHER-ALL:+COMP-DEFLATE:-MAC-ALL:-MD5:-
ANON-DH:-3DES-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-AES-256-CBC:-AES-128-
CBC:+VERS-TLS1.2:+VERS-TLS1.1:+SHA512:+SHA384:+SHA256:+SHA1:+VERS-TLS1.0:
+ARCFOUR-128:+CAMELLIA-256-CBC:+AES-256-CBC
GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert <-Webserver-CA
GnuTLSKeyFile /etc/apache2/ssl/webserver.key
GnuTLSClientVerify require
GnuTLSClientCAFile /etc/apache2/ssl/site.ca.asc <-ClientCA
Thanks for your help
Marc
More information about the mod_gnutls-devel
mailing list