Re: [Modules] Cannot get client certificate verification to work
Sander Marechal wrote: Nikos Mavrogiannopoulos wrote: Sander Marechal wrote: When I connect to the root I do not get asked for a client certificate, as expected. But when I go to /xmlrpc or to /users/certificate then I do not get asked for a client certificate. Instead it simply shows the page as if verification succeeded. What is the session ID of the latter connections? Is it because they are being resumed? How do I check (I'm using Firefox 3)? And if that is teh case, how do I start a new session when someone hits one of the Location paths that require client certificates? You can check the environment variables for the certificate information and print them (server side). regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Cannot get client certificate verification to work
Sander Marechal wrote: When I connect to the root I do not get asked for a client certificate, as expected. But when I go to /xmlrpc or to /users/certificate then I do not get asked for a client certificate. Instead it simply shows the page as if verification succeeded. What is the session ID of the latter connections? Is it because they are being resumed? regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Cannot get client certificate verification to work
Nikos Mavrogiannopoulos wrote: Sander Marechal wrote: When I connect to the root I do not get asked for a client certificate, as expected. But when I go to /xmlrpc or to /users/certificate then I do not get asked for a client certificate. Instead it simply shows the page as if verification succeeded. What is the session ID of the latter connections? Is it because they are being resumed? How do I check (I'm using Firefox 3)? And if that is teh case, how do I start a new session when someone hits one of the Location paths that require client certificates? Thanks in advance, -- Sander Marechal ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Cannot get client certificate verification to work
Sander Marechal wrote: I have done some more digging and its weirdness. It looks like mod_gnutls does not take the VirtualHost directive into account. Below is again the configuration of my two virtual hosts. The Subversion server only has a server certificate. The CakePHP virtual host has a server certtificate (in fact, the same one as the subversion server) and requires client-side certification. If the Subversion server is loaded first then neither virtual host will ask for a client certificate. If the CakePHP host is loaded first then *both* virtual hosts will ask for client-side certificates. So, it looks like GnuTLSClientVerify does not take the virtual host into account in the below configuration. Bug? Or is something wrong with my configuration? Does http://test[123].gnutls.org work for your browser? In those only test2 asks for certificate. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Cannot get client certificate verification to work
Nikos Mavrogiannopoulos wrote: Does http://test[123].gnutls.org work for your browser? In those only test2 asks for certificate. If you mean https:// instead of http:// in those URLs, then yes it works for me. Only https://test2.gnutls.org asks for a certificate. -- Sander Marechal ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
[Modules] Cannot get client certificate verification to work
Hi all, I cannot get client certificate verification to work, no matter what I try. I have two virtual hosts using GnuTLS. The first one is mu Subversion server. VirtualHost *:443 # SSL using GnuTLS GnuTLSEnable On GnuTLSCertificateFile /etc/apache2/ssl/cert.pem GnuTLSKeyFile /etc/apache2/ssl/key.pem GnuTLSPriorities PERFORMANCE ServerName svn.jejik.com LogLevel warn ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/access.log combined ServerSignature On Location / # uninteresting Subversion configuration removed /Location /VirtualHost The second one is a CakePHP website I'm developing: VirtualHost *:443 DocumentRoot /home/sander/projects/odf-shots/trunk/server/www ServerName cakephp.jejik.com # SSL using GnuTLS GnuTLSEnable On GnuTLSPriorities PERFORMANCE GnuTLSCertificateFile /etc/apache2/ssl/cert.pem GnuTLSKeyFile /etc/apache2/ssl/key.pem GnuTLSClientVerify require GnuTLSClientCAFile /etc/ssl/certs/cacert.org.pem ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On /VirtualHost Note that the domain cakephp.jejik.com isn't in any DNS record. If you want to access if for yourself, add 82.95.221.82 cakephp.jejik.com to your /etc/hosts file. As you see, for the second virtualhost I have set GnuTLSClientVerify require, but my browser never pops up a certificate request and never sends one. On the server I always get [SSL_CLIENT_VERIFY] = NONE. The server certificate and keyfile is a self-signed server certificate with a wildcard *.jejik.com. I have a security exception added for that in my Firefox. /etc/ssl/certs/cacert.org.pem is the standard pem for verifying CACert client certificates. I have a CACert client certificate installed in my browser. When I access https://cakephp.jejik.com I expect Firefox to popup a certificate request, or I expect mod_gnutls to deny the connection. Instead, I can access it just fine over https. No client verification happens at all. What's the problem? -- Sander Marechal Lone Wolves Foundation http://www.jejik.com ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules