Re: [Modules] Cannot get client certificate verification to work
Sander Marechal wrote: > Nikos Mavrogiannopoulos wrote: >> Sander Marechal wrote: >> >>> When I connect to the root I do not get asked for a client certificate, >>> as expected. But when I go to /xmlrpc or to /users/certificate then I do >>> not get asked for a client certificate. Instead it simply shows the page >>> as if verification succeeded. >> What is the session ID of the latter connections? Is it because they are >> being resumed? > > How do I check (I'm using Firefox 3)? And if that is teh case, how do I > start a new session when someone hits one of the paths that > require client certificates? You can check the environment variables for the certificate information and print them (server side). regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Cannot get client certificate verification to work
Nikos Mavrogiannopoulos wrote: > Sander Marechal wrote: > >> When I connect to the root I do not get asked for a client certificate, >> as expected. But when I go to /xmlrpc or to /users/certificate then I do >> not get asked for a client certificate. Instead it simply shows the page >> as if verification succeeded. > > What is the session ID of the latter connections? Is it because they are > being resumed? How do I check (I'm using Firefox 3)? And if that is teh case, how do I start a new session when someone hits one of the paths that require client certificates? Thanks in advance, -- Sander Marechal ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Cannot get client certificate verification to work
Sander Marechal wrote: > When I connect to the root I do not get asked for a client certificate, > as expected. But when I go to /xmlrpc or to /users/certificate then I do > not get asked for a client certificate. Instead it simply shows the page > as if verification succeeded. What is the session ID of the latter connections? Is it because they are being resumed? regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Cannot get client certificate verification to work
Sander Marechal wrote: > So, it looks like GnuTLSClientVerify does not take the virtual host into > account in the below configuration. I have solved this problem thanks to Nikos, but now I am facing another issue. I would like only some parts of my website to require a certificate and other parts not. I have tried to do this with directives but it does not seem to work. When I connect to the root I do not get asked for a client certificate, as expected. But when I go to /xmlrpc or to /users/certificate then I do not get asked for a client certificate. Instead it simply shows the page as if verification succeeded. What am I doing wrong? My config is below: DocumentRoot /home/sander/projects/odf-shots/trunk/server/www ServerName cakephp.jejik.com:443 # SSL using GnuTLS GnuTLSEnable On GnuTLSPriorities PERFORMANCE:%COMPAT GnuTLSCertificateFile /etc/apache2/ssl/odf-shots.jejik.com.cert GnuTLSKeyFile /root/certs/odf-shots.jejik.com.key GnuTLSClientVerify ignore GnuTLSClientCAFile /etc/ssl/certs/cacert.org.pem ErrorLog /var/log/apache2/error.log LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On GnuTLSClientVerify require GnuTLSClientVerify require Thanks in advance, -- Sander Marechal ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Cannot get client certificate verification to work
Nikos Mavrogiannopoulos wrote: > Does http://test[123].gnutls.org work for your browser? In those only > test2 asks for certificate. If you mean https:// instead of http:// in those URLs, then yes it works for me. Only https://test2.gnutls.org asks for a certificate. -- Sander Marechal ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Cannot get client certificate verification to work
Sander Marechal wrote: > I have done some more digging and its weirdness. It looks like > mod_gnutls does not take the VirtualHost directive into account. > > Below is again the configuration of my two virtual hosts. The Subversion > server only has a server certificate. The CakePHP virtual host has a > server certtificate (in fact, the same one as the subversion server) and > requires client-side certification. > > If the Subversion server is loaded first then neither virtual host will > ask for a client certificate. If the CakePHP host is loaded first then > *both* virtual hosts will ask for client-side certificates. > > So, it looks like GnuTLSClientVerify does not take the virtual host into > account in the below configuration. > > Bug? Or is something wrong with my configuration? Does http://test[123].gnutls.org work for your browser? In those only test2 asks for certificate. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Cannot get client certificate verification to work
Ray Steers wrote: > what browser are you using? OS? it matters trust me. Everything is Debian Lenny, see also the other thread I just started. So, that would be Apache 2.2.9 along with libgnutls26 2.4.2 and mod_gnutls 0.5.1 on the server. On the client it's also all Debian Lenny, so that would be Iceweasel (Firefox) 3.0.5. Here's the ID string: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008122011 Iceweasel/3.0.5 (Debian-3.0.5-1) -- Sander Marechal Lone Wolves Foundation http://www.jejik.com ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] Cannot get client certificate verification to work
I have done some more digging and its weirdness. It looks like mod_gnutls does not take the VirtualHost directive into account. Below is again the configuration of my two virtual hosts. The Subversion server only has a server certificate. The CakePHP virtual host has a server certtificate (in fact, the same one as the subversion server) and requires client-side certification. If the Subversion server is loaded first then neither virtual host will ask for a client certificate. If the CakePHP host is loaded first then *both* virtual hosts will ask for client-side certificates. So, it looks like GnuTLSClientVerify does not take the virtual host into account in the below configuration. Bug? Or is something wrong with my configuration? -- Sander Marechal Lone Wolves Foundation http://www.jejik.com Sander Marechal wrote: > The first one is my Subversion server. > > > # SSL using GnuTLS > GnuTLSEnable On > GnuTLSCertificateFile /etc/apache2/ssl/cert.pem > GnuTLSKeyFile /etc/apache2/ssl/key.pem > GnuTLSPriorities PERFORMANCE > > ServerName svn.jejik.com > > LogLevel warn > ErrorLog /var/log/apache2/error.log > CustomLog /var/log/apache2/access.log combined > ServerSignature On > > > # uninteresting Subversion configuration removed > > > > > The second one is a CakePHP website I'm developing: > > > DocumentRoot /home/sander/projects/odf-shots/trunk/server/www > ServerName cakephp.jejik.com > > # SSL using GnuTLS > GnuTLSEnable On > GnuTLSPriorities PERFORMANCE > GnuTLSCertificateFile /etc/apache2/ssl/cert.pem > GnuTLSKeyFile /etc/apache2/ssl/key.pem > GnuTLSClientVerify require > GnuTLSClientCAFile /etc/ssl/certs/cacert.org.pem > > ErrorLog /var/log/apache2/error.log > > # Possible values include: debug, info, notice, warn, error, crit, > # alert, emerg. > LogLevel warn > > CustomLog /var/log/apache2/access.log combined > ServerSignature On > > > > Note that the domain cakephp.jejik.com isn't in any DNS record. If you > want to access if for yourself, add "82.95.221.82 cakephp.jejik.com" to > your /etc/hosts file. ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
[Modules] Cannot get client certificate verification to work
Hi all, I cannot get client certificate verification to work, no matter what I try. I have two virtual hosts using GnuTLS. The first one is mu Subversion server. # SSL using GnuTLS GnuTLSEnable On GnuTLSCertificateFile /etc/apache2/ssl/cert.pem GnuTLSKeyFile /etc/apache2/ssl/key.pem GnuTLSPriorities PERFORMANCE ServerName svn.jejik.com LogLevel warn ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/access.log combined ServerSignature On # uninteresting Subversion configuration removed The second one is a CakePHP website I'm developing: DocumentRoot /home/sander/projects/odf-shots/trunk/server/www ServerName cakephp.jejik.com # SSL using GnuTLS GnuTLSEnable On GnuTLSPriorities PERFORMANCE GnuTLSCertificateFile /etc/apache2/ssl/cert.pem GnuTLSKeyFile /etc/apache2/ssl/key.pem GnuTLSClientVerify require GnuTLSClientCAFile /etc/ssl/certs/cacert.org.pem ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined ServerSignature On Note that the domain cakephp.jejik.com isn't in any DNS record. If you want to access if for yourself, add "82.95.221.82 cakephp.jejik.com" to your /etc/hosts file. As you see, for the second virtualhost I have set "GnuTLSClientVerify require", but my browser never pops up a certificate request and never sends one. On the server I always get "[SSL_CLIENT_VERIFY] => NONE". The server certificate and keyfile is a self-signed server certificate with a wildcard "*.jejik.com". I have a security exception added for that in my Firefox. /etc/ssl/certs/cacert.org.pem is the standard pem for verifying CACert client certificates. I have a CACert client certificate installed in my browser. When I access https://cakephp.jejik.com I expect Firefox to popup a certificate request, or I expect mod_gnutls to deny the connection. Instead, I can access it just fine over https. No client verification happens at all. What's the problem? -- Sander Marechal Lone Wolves Foundation http://www.jejik.com ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules