[mod_gnutls-devel] HTTP_FORBIDDEN-ignored-bug (was:Re: Certificate-based authentication)

Marc Ende marc.ende at ymail.com
Thu May 8 07:11:37 CEST 2014 

Hi,

last update for that:

If your configuration is like that in the virtual host:
        GnuTLSEnable on
        GnuTLSExportCertificates on
        GnuTLSPriorities SECURE256:-CIPHER-ALL:+COMP-DEFLATE:-MAC-ALL:-MD5:-
ANON-DH:-3DES-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-AES-256-CBC:-AES-128-
CBC:+VERS-TLS1.2:+VERS-TLS1.1:+SHA512:+SHA384:+SHA256:+SHA1:+VERS-TLS1.0:
+ARCFOUR-128:+CAMELLIA-256-CBC:+AES-256-CBC

        GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert   <-Webserver-CA
        GnuTLSKeyFile /etc/apache2/ssl/webserver.key
        GnuTLSClientVerify require
        GnuTLSClientCAFile /etc/apache2/ssl/site.ca.asc    <-ClientCA

you can bypass the GnuTLSClientVerify using another certificate which is NOT signed by 
the mentioned CA in GnuTLSClientCAFile. 

A workaround for this is to put GnuTLSClientVerify ALSO in a <Location /> configuration 
then it's working properly.

This seems to be a serious issue because the documentation says nothing about it (and the 
samples didn't show this).

I think it's related to this: http://lists.gnupg.org/pipermail/mod_gnutls-devel/2014-March/000061.html[1] 

yours
marc



Am Mittwoch, 7. Mai 2014, 12:32:21 schrieb Marc Ende:
> Hi,
> 
> after a few further investigations I've found this:
> 
> [Wed May 07 11:34:01 2014] [debug] gnutls_hooks.c(1144): [client
> xxx.xxx.xxx.xxx] GnuTLS: A Chain of 1 certificate(
> s) was provided for validation
> [Wed May 07 11:34:01 2014] [debug] gnutls_hooks.c(1198): [client
> xxx.xxx.xxx.xxx] GnuTLS: Verifying list of 1 certi
> ficate(s) via method 'cartel'
> [Wed May 07 11:34:01 2014] [info] [client xxx.xxx.xxx.xxx] GnuTLS: Could not
> find Signer for Peer Certificate
> [Wed May 07 11:34:01 2014] [info] [client xxx.xxx.xxx.xxx] GnuTLS: Peer
> Certificate is invalid.
> [Wed May 07 11:34:01 2014] [error] [client xxx.xxx.xxx.xxx] File does not
> exist: /var/www/favicon.ico
> 
> The request with the certificate (the one who is not signed by the correct
> ca) is received. After that it's correctly processed, what means: It's
> found as incorrect. After another reload it's passed to the webspace.
> (that's what shouldn't happen)
> 
> Personally I think that there is something strange with the authentication
> hook:
> 
> ap_hook_access_checker(mgs_hook_authz, NULL, NULL,
>             APR_HOOK_REALLY_FIRST);
> 
> mgs_hook_authz returns the HTTP_FORBIDDEDN corrently (the return value is
> 403). But this result isn't used correctly (in apache I think).
> 
> As such I think this will be a bug. But I don't know on which side? For me
> it seems that's an apache issue.
> 
> Marc
> 
> Am Mittwoch, 7. Mai 2014, 07:45:26 schrieb Marc Ende:
> > Hi,
> > 
> > within  one of my servers I use certificate based authentication.
> > Everything works great but without a simple thing:
> > 
> > * If I log in with a certificate which is signed by the ca mentioned in
> > GnuTLSClientCAFile the access is granted as expected.
> > 
> > * If I log in with a certificate which is NOT signed by the ca mentioned
> > in
> > GnuTLSClientCAFile the access is also granted (not expected).
> > 
> > The second one was signed by the CA which has signed the certificate of
> > the
> > webserver himself. I haven't tested this with a certificate which was
> > signed by someone else. But also in this case I wouldn't be happy with
> > the fact that everyone with a signed certificate of this (webserver-)CA
> > has access.
> > 
> > May be I've got an issue in my configuration....
> > 
> > My configuration:
> >         GnuTLSEnable on
> >         GnuTLSExportCertificates on
> >         GnuTLSPriorities
> >         SECURE256:-CIPHER-ALL:+COMP-DEFLATE:-MAC-ALL:-MD5:-
> > 
> > ANON-DH:-3DES-CBC:-CAMELLIA-256-CBC:-CAMELLIA-128-CBC:-AES-256-CBC:-AES-12
> > 8
> > -
> > CBC:+VERS-TLS1.2:+VERS-TLS1.1:+SHA512:+SHA384:+SHA256:+SHA1:+VERS-TLS1.0:
> > +ARCFOUR-128:+CAMELLIA-256-CBC:+AES-256-CBC
> > 
> >         GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert
> > 
> > <-Webserver-CA GnuTLSKeyFile /etc/apache2/ssl/webserver.key
> > 
> >         GnuTLSClientVerify require
> >         GnuTLSClientCAFile /etc/apache2/ssl/site.ca.asc    <-ClientCA
> > 
> > Thanks for your help
> > 
> > Marc
> > 
> > _______________________________________________
> > mod_gnutls-devel mailing list
> > mod_gnutls-devel at lists.gnutls.org
> > http://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel
> 
> _______________________________________________
> mod_gnutls-devel mailing list
> mod_gnutls-devel at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/mod_gnutls-devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20140508/162c905f/attachment-0001.html>

More information about the mod_gnutls-devel mailing list