[mod_gnutls-devel] Certificate-based authentication

Marc Ende marc.ende at ymail.com
Wed May 7 08:20:40 CEST 2014 

Hi,

the same with actual versions:

apache: 2.2.22
gnutls: 3.2.14
mod_gnutls: 0.6

so i think it might be an configuration issue or (that's also possible) a 
misunderstood of the handling of authentication.

Marc

Am Mittwoch, 7. Mai 2014, 07:48:40 schrieb Marc Ende:
> Hi,
> 
> I've missed the relevant information:
> 
> apache: 2.2.22
> gnutls: 2.10.5
> mod_gnutls: 0.5.10
> 
> All standard installs by ubuntu 12.04.4 LTS
> 
> Marc
> 
> > Hi,
> > 
> > within  one of my servers I use certificate based authentication.
> > Everything works great but without a simple thing:
> > 
> > * If I log in with a certificate which is signed by the ca mentioned in
> > GnuTLSClientCAFile the access is granted as expected.
> > 
> > * If I log in with a certificate which is NOT signed by the ca mentioned
> > in
> > GnuTLSClientCAFile the access is also granted (not expected).
> > 
> > The second one was signed by the CA which has signed the certificate of
> > the
> > webserver himself. I haven't tested this with a certificate which was
> > signed by someone else. But also in this case I wouldn't be happy with
> > the fact that everyone with a signed certificate of this (webserver-)CA
> > has access.
> > 
> > May be I've got an issue in my configuration....
> > 
> > My configuration:
> >         GnuTLSEnable on
> >         GnuTLSExportCertificates on
> >         GnuTLSPriorities
> >         SECURE256:-CIPHER-ALL:+COMP-DEFLATE:-MAC-ALL:-MD5:-
> > 
> > ANON-DH:-3DES-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-AES-256-CBC:-AES-12
> > 8
> > -
> > CBC:+VERS-TLS1.2:+VERS-TLS1.1:+SHA512:+SHA384:+SHA256:+SHA1:+VERS-TLS1.0:
> > +ARCFOUR-128:+CAMELLIA-256-CBC:+AES-256-CBC
> > 
> >         GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert
> > 
> > <-Webserver-CA GnuTLSKeyFile /etc/apache2/ssl/webserver.key
> > 
> >         GnuTLSClientVerify require
> >         GnuTLSClientCAFile /etc/apache2/ssl/site.ca.asc    <-ClientCA
> > 
> > Thanks for your help
> > 
> > Marc
> 
> _______________________________________________
> mod_gnutls-devel mailing list
> mod_gnutls-devel at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel

More information about the mod_gnutls-devel mailing list