[mod_gnutls-devel] HTTP_FORBIDDEN-ignored-bug (was:Re: Certificate-based authentication)
marc.ende at ymail.com
Wed May 7 12:32:21 CEST 2014
after a few further investigations I've found this:
[Wed May 07 11:34:01 2014] [debug] gnutls_hooks.c(1144): [client
xxx.xxx.xxx.xxx] GnuTLS: A Chain of 1 certificate(
s) was provided for validation
[Wed May 07 11:34:01 2014] [debug] gnutls_hooks.c(1198): [client
xxx.xxx.xxx.xxx] GnuTLS: Verifying list of 1 certi
ficate(s) via method 'cartel'
[Wed May 07 11:34:01 2014] [info] [client xxx.xxx.xxx.xxx] GnuTLS: Could not
find Signer for Peer Certificate
[Wed May 07 11:34:01 2014] [info] [client xxx.xxx.xxx.xxx] GnuTLS: Peer
Certificate is invalid.
[Wed May 07 11:34:01 2014] [error] [client xxx.xxx.xxx.xxx] File does not
The request with the certificate (the one who is not signed by the correct ca)
is received. After that it's correctly processed, what means: It's found as
incorrect. After another reload it's passed to the webspace. (that's what
Personally I think that there is something strange with the authentication
ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
mgs_hook_authz returns the HTTP_FORBIDDEDN corrently (the return value is
403). But this result isn't used correctly (in apache I think).
As such I think this will be a bug. But I don't know on which side? For me it
seems that's an apache issue.
Am Mittwoch, 7. Mai 2014, 07:45:26 schrieb Marc Ende:
> within one of my servers I use certificate based authentication. Everything
> works great but without a simple thing:
> * If I log in with a certificate which is signed by the ca mentioned in
> GnuTLSClientCAFile the access is granted as expected.
> * If I log in with a certificate which is NOT signed by the ca mentioned in
> GnuTLSClientCAFile the access is also granted (not expected).
> The second one was signed by the CA which has signed the certificate of the
> webserver himself. I haven't tested this with a certificate which was signed
> by someone else. But also in this case I wouldn't be happy with the fact
> that everyone with a signed certificate of this (webserver-)CA has access.
> May be I've got an issue in my configuration....
> My configuration:
> GnuTLSEnable on
> GnuTLSExportCertificates on
> GnuTLSPriorities SECURE256:-CIPHER-ALL:+COMP-DEFLATE:-MAC-ALL:-MD5:-
> - CBC:+VERS-TLS1.2:+VERS-TLS1.1:+SHA512:+SHA384:+SHA256:+SHA1:+VERS-TLS1.0:
> GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert
> <-Webserver-CA GnuTLSKeyFile /etc/apache2/ssl/webserver.key
> GnuTLSClientVerify require
> GnuTLSClientCAFile /etc/apache2/ssl/site.ca.asc <-ClientCA
> Thanks for your help
> mod_gnutls-devel mailing list
> mod_gnutls-devel at lists.gnutls.org
More information about the mod_gnutls-devel