[mod_gnutls-devel] Certificate-based authentication
Marc Ende
marc.ende at ymail.com
Wed May 7 07:48:40 CEST 2014
Hi,
I've missed the relevant information:
apache: 2.2.22
gnutls: 2.10.5
mod_gnutls: 0.5.10
All standard installs by ubuntu 12.04.4 LTS
Marc
> Hi,
>
> within one of my servers I use certificate based authentication. Everything
> works great but without a simple thing:
>
> * If I log in with a certificate which is signed by the ca mentioned in
> GnuTLSClientCAFile the access is granted as expected.
>
> * If I log in with a certificate which is NOT signed by the ca mentioned in
> GnuTLSClientCAFile the access is also granted (not expected).
>
> The second one was signed by the CA which has signed the certificate of the
> webserver himself. I haven't tested this with a certificate which was signed
> by someone else. But also in this case I wouldn't be happy with the fact
> that everyone with a signed certificate of this (webserver-)CA has access.
>
> May be I've got an issue in my configuration....
>
> My configuration:
>
> GnuTLSEnable on
> GnuTLSExportCertificates on
> GnuTLSPriorities SECURE256:-CIPHER-ALL:+COMP-DEFLATE:-MAC-ALL:-MD5:-
> ANON-DH:-3DES-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-AES-256-CBC:-AES-128
> - CBC:+VERS-TLS1.2:+VERS-TLS1.1:+SHA512:+SHA384:+SHA256:+SHA1:+VERS-TLS1.0:
> +ARCFOUR-128:+CAMELLIA-256-CBC:+AES-256-CBC
>
> GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert
> <-Webserver-CA GnuTLSKeyFile /etc/apache2/ssl/webserver.key
> GnuTLSClientVerify require
> GnuTLSClientCAFile /etc/apache2/ssl/site.ca.asc <-ClientCA
>
> Thanks for your help
>
> Marc
More information about the mod_gnutls-devel
mailing list