[mod_gnutls-devel] HTTP_FORBIDDEN-ignored-bug (was:Re: Certificate-based authentication)

Marc Ende marc.ende at ymail.com
Wed May 7 12:32:21 CEST 2014 

Hi,

after a few further investigations I've found this:

[Wed May 07 11:34:01 2014] [debug] gnutls_hooks.c(1144): [client 
xxx.xxx.xxx.xxx] GnuTLS: A Chain of 1 certificate(
s) was provided for validation
[Wed May 07 11:34:01 2014] [debug] gnutls_hooks.c(1198): [client 
xxx.xxx.xxx.xxx] GnuTLS: Verifying list of 1 certi
ficate(s) via method 'cartel'
[Wed May 07 11:34:01 2014] [info] [client xxx.xxx.xxx.xxx] GnuTLS: Could not 
find Signer for Peer Certificate
[Wed May 07 11:34:01 2014] [info] [client xxx.xxx.xxx.xxx] GnuTLS: Peer 
Certificate is invalid.
[Wed May 07 11:34:01 2014] [error] [client xxx.xxx.xxx.xxx] File does not 
exist: /var/www/favicon.ico

The request with the certificate (the one who is not signed by the correct ca) 
is received. After that it's correctly processed, what means: It's found as 
incorrect. After another reload it's passed to the webspace. (that's what 
shouldn't happen)

Personally I think that there is something strange with the authentication 
hook:

ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
            APR_HOOK_REALLY_FIRST);

mgs_hook_authz returns the HTTP_FORBIDDEDN corrently (the return value is 
403). But this result isn't used correctly (in apache I think).

As such I think this will be a bug. But I don't know on which side? For me it 
seems that's an apache issue.

Marc



Am Mittwoch, 7. Mai 2014, 07:45:26 schrieb Marc Ende:
> Hi,
> 
> within  one of my servers I use certificate based authentication. Everything
> works great but without a simple thing:
> 
> * If I log in with a certificate which is signed by the ca mentioned in
> GnuTLSClientCAFile the access is granted as expected.
> 
> * If I log in with a certificate which is NOT signed by the ca mentioned in
> GnuTLSClientCAFile the access is also granted (not expected).
> 
> The second one was signed by the CA which has signed the certificate of the
> webserver himself. I haven't tested this with a certificate which was signed
> by someone else. But also in this case I wouldn't be happy with the fact
> that everyone with a signed certificate of this (webserver-)CA has access.
> 
> May be I've got an issue in my configuration....
> 
> My configuration:
> 
>         GnuTLSEnable on
>         GnuTLSExportCertificates on
>         GnuTLSPriorities SECURE256:-CIPHER-ALL:+COMP-DEFLATE:-MAC-ALL:-MD5:-
> ANON-DH:-3DES-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-AES-256-CBC:-AES-128
> - CBC:+VERS-TLS1.2:+VERS-TLS1.1:+SHA512:+SHA384:+SHA256:+SHA1:+VERS-TLS1.0:
> +ARCFOUR-128:+CAMELLIA-256-CBC:+AES-256-CBC
> 
>         GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert  
> <-Webserver-CA GnuTLSKeyFile /etc/apache2/ssl/webserver.key
>         GnuTLSClientVerify require
>         GnuTLSClientCAFile /etc/apache2/ssl/site.ca.asc    <-ClientCA
> 
> Thanks for your help
> 
> Marc
> 
> _______________________________________________
> mod_gnutls-devel mailing list
> mod_gnutls-devel at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel

More information about the mod_gnutls-devel mailing list