Hi all, I cannot get client certificate verification to work, no matter what I try. I have two virtual hosts using GnuTLS. The first one is mu Subversion server.
<VirtualHost *:443> # SSL using GnuTLS GnuTLSEnable On GnuTLSCertificateFile /etc/apache2/ssl/cert.pem GnuTLSKeyFile /etc/apache2/ssl/key.pem GnuTLSPriorities PERFORMANCE ServerName svn.jejik.com LogLevel warn ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/access.log combined ServerSignature On <Location "/"> # uninteresting Subversion configuration removed </Location> </VirtualHost> The second one is a CakePHP website I'm developing: <VirtualHost *:443> DocumentRoot /home/sander/projects/odf-shots/trunk/server/www ServerName cakephp.jejik.com # SSL using GnuTLS GnuTLSEnable On GnuTLSPriorities PERFORMANCE GnuTLSCertificateFile /etc/apache2/ssl/cert.pem GnuTLSKeyFile /etc/apache2/ssl/key.pem GnuTLSClientVerify require GnuTLSClientCAFile /etc/ssl/certs/cacert.org.pem ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On </VirtualHost> Note that the domain cakephp.jejik.com isn't in any DNS record. If you want to access if for yourself, add "82.95.221.82 cakephp.jejik.com" to your /etc/hosts file. As you see, for the second virtualhost I have set "GnuTLSClientVerify require", but my browser never pops up a certificate request and never sends one. On the server I always get "[SSL_CLIENT_VERIFY] => NONE". The server certificate and keyfile is a self-signed server certificate with a wildcard "*.jejik.com". I have a security exception added for that in my Firefox. /etc/ssl/certs/cacert.org.pem is the standard pem for verifying CACert client certificates. I have a CACert client certificate installed in my browser. When I access https://cakephp.jejik.com I expect Firefox to popup a certificate request, or I expect mod_gnutls to deny the connection. Instead, I can access it just fine over https. No client verification happens at all. What's the problem? -- Sander Marechal Lone Wolves Foundation http://www.jejik.com _______________________________________________ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules