From marc.ende at ymail.com Wed May 7 07:48:40 2014
From: marc.ende at ymail.com (Marc Ende)
Date: Wed, 07 May 2014 07:48:40 +0200
Subject: [mod_gnutls-devel] Certificate-based authentication
In-Reply-To: <2443705.p5Cy6XS8Bp@me-laptop>
References: <2443705.p5Cy6XS8Bp@me-laptop>
Message-ID: <1452617.KzQS9gGqek@me-laptop>
Hi,
I've missed the relevant information:
apache: 2.2.22
gnutls: 2.10.5
mod_gnutls: 0.5.10
All standard installs by ubuntu 12.04.4 LTS
Marc
> Hi,
>
> within one of my servers I use certificate based authentication. Everything
> works great but without a simple thing:
>
> * If I log in with a certificate which is signed by the ca mentioned in
> GnuTLSClientCAFile the access is granted as expected.
>
> * If I log in with a certificate which is NOT signed by the ca mentioned in
> GnuTLSClientCAFile the access is also granted (not expected).
>
> The second one was signed by the CA which has signed the certificate of the
> webserver himself. I haven't tested this with a certificate which was signed
> by someone else. But also in this case I wouldn't be happy with the fact
> that everyone with a signed certificate of this (webserver-)CA has access.
>
> May be I've got an issue in my configuration....
>
> My configuration:
>
> GnuTLSEnable on
> GnuTLSExportCertificates on
> GnuTLSPriorities SECURE256:-CIPHER-ALL:+COMP-DEFLATE:-MAC-ALL:-MD5:-
> ANON-DH:-3DES-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-AES-256-CBC:-AES-128
> - CBC:+VERS-TLS1.2:+VERS-TLS1.1:+SHA512:+SHA384:+SHA256:+SHA1:+VERS-TLS1.0:
> +ARCFOUR-128:+CAMELLIA-256-CBC:+AES-256-CBC
>
> GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert
> <-Webserver-CA GnuTLSKeyFile /etc/apache2/ssl/webserver.key
> GnuTLSClientVerify require
> GnuTLSClientCAFile /etc/apache2/ssl/site.ca.asc <-ClientCA
>
> Thanks for your help
>
> Marc
From marc.ende at ymail.com Wed May 7 08:20:40 2014
From: marc.ende at ymail.com (Marc Ende)
Date: Wed, 07 May 2014 08:20:40 +0200
Subject: [mod_gnutls-devel] Certificate-based authentication
In-Reply-To: <1452617.KzQS9gGqek@me-laptop>
References: <2443705.p5Cy6XS8Bp@me-laptop> <1452617.KzQS9gGqek@me-laptop>
Message-ID: <2695966.n7N3z1opbr@me-laptop>
Hi,
the same with actual versions:
apache: 2.2.22
gnutls: 3.2.14
mod_gnutls: 0.6
so i think it might be an configuration issue or (that's also possible) a
misunderstood of the handling of authentication.
Marc
Am Mittwoch, 7. Mai 2014, 07:48:40 schrieb Marc Ende:
> Hi,
>
> I've missed the relevant information:
>
> apache: 2.2.22
> gnutls: 2.10.5
> mod_gnutls: 0.5.10
>
> All standard installs by ubuntu 12.04.4 LTS
>
> Marc
>
> > Hi,
> >
> > within one of my servers I use certificate based authentication.
> > Everything works great but without a simple thing:
> >
> > * If I log in with a certificate which is signed by the ca mentioned in
> > GnuTLSClientCAFile the access is granted as expected.
> >
> > * If I log in with a certificate which is NOT signed by the ca mentioned
> > in
> > GnuTLSClientCAFile the access is also granted (not expected).
> >
> > The second one was signed by the CA which has signed the certificate of
> > the
> > webserver himself. I haven't tested this with a certificate which was
> > signed by someone else. But also in this case I wouldn't be happy with
> > the fact that everyone with a signed certificate of this (webserver-)CA
> > has access.
> >
> > May be I've got an issue in my configuration....
> >
> > My configuration:
> > GnuTLSEnable on
> > GnuTLSExportCertificates on
> > GnuTLSPriorities
> > SECURE256:-CIPHER-ALL:+COMP-DEFLATE:-MAC-ALL:-MD5:-
> >
> > ANON-DH:-3DES-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-AES-256-CBC:-AES-12
> > 8
> > -
> > CBC:+VERS-TLS1.2:+VERS-TLS1.1:+SHA512:+SHA384:+SHA256:+SHA1:+VERS-TLS1.0:
> > +ARCFOUR-128:+CAMELLIA-256-CBC:+AES-256-CBC
> >
> > GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert
> >
> > <-Webserver-CA GnuTLSKeyFile /etc/apache2/ssl/webserver.key
> >
> > GnuTLSClientVerify require
> > GnuTLSClientCAFile /etc/apache2/ssl/site.ca.asc <-ClientCA
> >
> > Thanks for your help
> >
> > Marc
>
> _______________________________________________
> mod_gnutls-devel mailing list
> mod_gnutls-devel at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel
From marc.ende at ymail.com Wed May 7 07:45:26 2014
From: marc.ende at ymail.com (Marc Ende)
Date: Wed, 07 May 2014 07:45:26 +0200
Subject: [mod_gnutls-devel] Certificate-based authentication
Message-ID: <2443705.p5Cy6XS8Bp@me-laptop>
Hi,
within one of my servers I use certificate based authentication. Everything
works great but without a simple thing:
* If I log in with a certificate which is signed by the ca mentioned in
GnuTLSClientCAFile the access is granted as expected.
* If I log in with a certificate which is NOT signed by the ca mentioned in
GnuTLSClientCAFile the access is also granted (not expected).
The second one was signed by the CA which has signed the certificate of the
webserver himself. I haven't tested this with a certificate which was signed by
someone else. But also in this case I wouldn't be happy with the fact that
everyone with a signed certificate of this (webserver-)CA has access.
May be I've got an issue in my configuration....
My configuration:
GnuTLSEnable on
GnuTLSExportCertificates on
GnuTLSPriorities SECURE256:-CIPHER-ALL:+COMP-DEFLATE:-MAC-ALL:-MD5:-
ANON-DH:-3DES-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-AES-256-CBC:-AES-128-
CBC:+VERS-TLS1.2:+VERS-TLS1.1:+SHA512:+SHA384:+SHA256:+SHA1:+VERS-TLS1.0:
+ARCFOUR-128:+CAMELLIA-256-CBC:+AES-256-CBC
GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert <-Webserver-CA
GnuTLSKeyFile /etc/apache2/ssl/webserver.key
GnuTLSClientVerify require
GnuTLSClientCAFile /etc/apache2/ssl/site.ca.asc <-ClientCA
Thanks for your help
Marc
From marc.ende at ymail.com Wed May 7 07:28:08 2014
From: marc.ende at ymail.com (Marc Ende)
Date: Wed, 07 May 2014 07:28:08 +0200
Subject: [mod_gnutls-devel] SSLUserName / FakeBasicAuth
Message-ID: <1616599.f57bZTdsPp@me-laptop>
Hi,
I'd like to know what's the progress on SSLUserName? I've found this link where the
SSLUserName option is mentioned. (http://lists.outoforder.cc/pipermail/issues/2009-July/000230.html[1]
) But within the docs I didn't find any mentions of that.
I've got a website which has some apps which are able to use ssl-authentication, but
they're all tied to the things mod_ssl does. So it would be great if mod_gnutls as a
replacement can handle this ;))
Even for non-ssl-authentication apps it would be great if mod_gnutls have the capability
to do FakeBasicAuth. Some of them require the user-variable to be filled for
authentication. So something like FakeBasicAuth would be great! ;)
Thanks
Marc
--------
[1] http://lists.outoforder.cc/pipermail/issues/2009-July/000230.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From marc.ende at ymail.com Wed May 7 12:32:21 2014
From: marc.ende at ymail.com (Marc Ende)
Date: Wed, 07 May 2014 12:32:21 +0200
Subject: [mod_gnutls-devel] HTTP_FORBIDDEN-ignored-bug (was:Re:
Certificate-based authentication)
In-Reply-To: <2443705.p5Cy6XS8Bp@me-laptop>
References: <2443705.p5Cy6XS8Bp@me-laptop>
Message-ID: <2943769.V0qEYpfHCV@me-laptop>
Hi,
after a few further investigations I've found this:
[Wed May 07 11:34:01 2014] [debug] gnutls_hooks.c(1144): [client
xxx.xxx.xxx.xxx] GnuTLS: A Chain of 1 certificate(
s) was provided for validation
[Wed May 07 11:34:01 2014] [debug] gnutls_hooks.c(1198): [client
xxx.xxx.xxx.xxx] GnuTLS: Verifying list of 1 certi
ficate(s) via method 'cartel'
[Wed May 07 11:34:01 2014] [info] [client xxx.xxx.xxx.xxx] GnuTLS: Could not
find Signer for Peer Certificate
[Wed May 07 11:34:01 2014] [info] [client xxx.xxx.xxx.xxx] GnuTLS: Peer
Certificate is invalid.
[Wed May 07 11:34:01 2014] [error] [client xxx.xxx.xxx.xxx] File does not
exist: /var/www/favicon.ico
The request with the certificate (the one who is not signed by the correct ca)
is received. After that it's correctly processed, what means: It's found as
incorrect. After another reload it's passed to the webspace. (that's what
shouldn't happen)
Personally I think that there is something strange with the authentication
hook:
ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
APR_HOOK_REALLY_FIRST);
mgs_hook_authz returns the HTTP_FORBIDDEDN corrently (the return value is
403). But this result isn't used correctly (in apache I think).
As such I think this will be a bug. But I don't know on which side? For me it
seems that's an apache issue.
Marc
Am Mittwoch, 7. Mai 2014, 07:45:26 schrieb Marc Ende:
> Hi,
>
> within one of my servers I use certificate based authentication. Everything
> works great but without a simple thing:
>
> * If I log in with a certificate which is signed by the ca mentioned in
> GnuTLSClientCAFile the access is granted as expected.
>
> * If I log in with a certificate which is NOT signed by the ca mentioned in
> GnuTLSClientCAFile the access is also granted (not expected).
>
> The second one was signed by the CA which has signed the certificate of the
> webserver himself. I haven't tested this with a certificate which was signed
> by someone else. But also in this case I wouldn't be happy with the fact
> that everyone with a signed certificate of this (webserver-)CA has access.
>
> May be I've got an issue in my configuration....
>
> My configuration:
>
> GnuTLSEnable on
> GnuTLSExportCertificates on
> GnuTLSPriorities SECURE256:-CIPHER-ALL:+COMP-DEFLATE:-MAC-ALL:-MD5:-
> ANON-DH:-3DES-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-AES-256-CBC:-AES-128
> - CBC:+VERS-TLS1.2:+VERS-TLS1.1:+SHA512:+SHA384:+SHA256:+SHA1:+VERS-TLS1.0:
> +ARCFOUR-128:+CAMELLIA-256-CBC:+AES-256-CBC
>
> GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert
> <-Webserver-CA GnuTLSKeyFile /etc/apache2/ssl/webserver.key
> GnuTLSClientVerify require
> GnuTLSClientCAFile /etc/apache2/ssl/site.ca.asc <-ClientCA
>
> Thanks for your help
>
> Marc
>
> _______________________________________________
> mod_gnutls-devel mailing list
> mod_gnutls-devel at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel
From marc.ende at ymail.com Thu May 8 07:11:37 2014
From: marc.ende at ymail.com (Marc Ende)
Date: Thu, 08 May 2014 07:11:37 +0200
Subject: [mod_gnutls-devel] HTTP_FORBIDDEN-ignored-bug (was:Re:
Certificate-based authentication)
In-Reply-To: <2943769.V0qEYpfHCV@me-laptop>
References: <2443705.p5Cy6XS8Bp@me-laptop> <2943769.V0qEYpfHCV@me-laptop>
Message-ID: <1947042.HEdLcnvSEc@me-laptop>
Hi,
last update for that:
If your configuration is like that in the virtual host:
GnuTLSEnable on
GnuTLSExportCertificates on
GnuTLSPriorities SECURE256:-CIPHER-ALL:+COMP-DEFLATE:-MAC-ALL:-MD5:-
ANON-DH:-3DES-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-AES-256-CBC:-AES-128-
CBC:+VERS-TLS1.2:+VERS-TLS1.1:+SHA512:+SHA384:+SHA256:+SHA1:+VERS-TLS1.0:
+ARCFOUR-128:+CAMELLIA-256-CBC:+AES-256-CBC
GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert <-Webserver-CA
GnuTLSKeyFile /etc/apache2/ssl/webserver.key
GnuTLSClientVerify require
GnuTLSClientCAFile /etc/apache2/ssl/site.ca.asc <-ClientCA
you can bypass the GnuTLSClientVerify using another certificate which is NOT signed by
the mentioned CA in GnuTLSClientCAFile.
A workaround for this is to put GnuTLSClientVerify ALSO in a configuration
then it's working properly.
This seems to be a serious issue because the documentation says nothing about it (and the
samples didn't show this).
I think it's related to this: http://lists.gnupg.org/pipermail/mod_gnutls-devel/2014-March/000061.html[1]
yours
marc
Am Mittwoch, 7. Mai 2014, 12:32:21 schrieb Marc Ende:
> Hi,
>
> after a few further investigations I've found this:
>
> [Wed May 07 11:34:01 2014] [debug] gnutls_hooks.c(1144): [client
> xxx.xxx.xxx.xxx] GnuTLS: A Chain of 1 certificate(
> s) was provided for validation
> [Wed May 07 11:34:01 2014] [debug] gnutls_hooks.c(1198): [client
> xxx.xxx.xxx.xxx] GnuTLS: Verifying list of 1 certi
> ficate(s) via method 'cartel'
> [Wed May 07 11:34:01 2014] [info] [client xxx.xxx.xxx.xxx] GnuTLS: Could not
> find Signer for Peer Certificate
> [Wed May 07 11:34:01 2014] [info] [client xxx.xxx.xxx.xxx] GnuTLS: Peer
> Certificate is invalid.
> [Wed May 07 11:34:01 2014] [error] [client xxx.xxx.xxx.xxx] File does not
> exist: /var/www/favicon.ico
>
> The request with the certificate (the one who is not signed by the correct
> ca) is received. After that it's correctly processed, what means: It's
> found as incorrect. After another reload it's passed to the webspace.
> (that's what shouldn't happen)
>
> Personally I think that there is something strange with the authentication
> hook:
>
> ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
> APR_HOOK_REALLY_FIRST);
>
> mgs_hook_authz returns the HTTP_FORBIDDEDN corrently (the return value is
> 403). But this result isn't used correctly (in apache I think).
>
> As such I think this will be a bug. But I don't know on which side? For me
> it seems that's an apache issue.
>
> Marc
>
> Am Mittwoch, 7. Mai 2014, 07:45:26 schrieb Marc Ende:
> > Hi,
> >
> > within one of my servers I use certificate based authentication.
> > Everything works great but without a simple thing:
> >
> > * If I log in with a certificate which is signed by the ca mentioned in
> > GnuTLSClientCAFile the access is granted as expected.
> >
> > * If I log in with a certificate which is NOT signed by the ca mentioned
> > in
> > GnuTLSClientCAFile the access is also granted (not expected).
> >
> > The second one was signed by the CA which has signed the certificate of
> > the
> > webserver himself. I haven't tested this with a certificate which was
> > signed by someone else. But also in this case I wouldn't be happy with
> > the fact that everyone with a signed certificate of this (webserver-)CA
> > has access.
> >
> > May be I've got an issue in my configuration....
> >
> > My configuration:
> > GnuTLSEnable on
> > GnuTLSExportCertificates on
> > GnuTLSPriorities
> > SECURE256:-CIPHER-ALL:+COMP-DEFLATE:-MAC-ALL:-MD5:-
> >
> > ANON-DH:-3DES-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-AES-256-CBC:-AES-12
> > 8
> > -
> > CBC:+VERS-TLS1.2:+VERS-TLS1.1:+SHA512:+SHA384:+SHA256:+SHA1:+VERS-TLS1.0:
> > +ARCFOUR-128:+CAMELLIA-256-CBC:+AES-256-CBC
> >
> > GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert
> >
> > <-Webserver-CA GnuTLSKeyFile /etc/apache2/ssl/webserver.key
> >
> > GnuTLSClientVerify require
> > GnuTLSClientCAFile /etc/apache2/ssl/site.ca.asc <-ClientCA
> >
> > Thanks for your help
> >
> > Marc
> >
> > _______________________________________________
> > mod_gnutls-devel mailing list
> > mod_gnutls-devel at lists.gnutls.org
> > http://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel
>
> _______________________________________________
> mod_gnutls-devel mailing list
> mod_gnutls-devel at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
From ramkumar.chinchani at gmail.com Thu May 15 22:32:43 2014
From: ramkumar.chinchani at gmail.com (Ramkumar Chinchani)
Date: Thu, 15 May 2014 13:32:43 -0700
Subject: [mod_gnutls-devel] HTTP_FORBIDDEN-ignored-bug (was:Re:
Certificate-based authentication)
Message-ID:
Hi Marc,
If possible, can you try the patch in [1] and report if it works for you?
Thanks.
[1] http://lists.gnupg.org/pipermail/mod_gnutls-devel/2014-March/000054.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: