Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
mod_gnutls accepts same client-cert for ALL vhosts - WHY??
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
DawgG
l33t
l33t


Joined: 17 Sep 2003
Posts: 874

PostPosted: Tue Dec 15, 2009 4:00 pm    Post subject: mod_gnutls accepts same client-cert for ALL vhosts - WHY?? Reply with quote

i run an apache webserver with some vhosts and they all have their own self-signed ssl-certificate in a configuration enabled by mod_gnutls. that works well.
as a security measure i require the users' browsers to show a client-ssl-cert before they can connect. this is done with the directive
Code:
GnuTLSClientVerify require
in the vhost-definition and in the <directory>-directive inside the vhost-definition (this does not have a filename as an argument - but could it take one?)
i create the client-cert like this:
Code:
openssl pkcs12 -export -in vhost-1-cert.crt -inkey vhost-1-key.pem -out vhost-1-client.p12
then i import it AND my ca-certificate (as root-ca) in a client-browser and this browser can connect to https://vhost-1 (w/out cert, no connection)

when i do the same thing for vhost-2 (ssl-command as above but with vhost-2-cert- and -keyfiles), the browser can also connect to vhost-1 and see all the stuff and vice-versa.

my temporary workaround is to use apache basic-auth over ssl which is still considered quite secure but i want to know why my intended config does not work the way it is described and is supposed to.

what is going on? am i missing something? is the client-cert created the wrong way?

(i have to use mod_gnutls since this is a hosted server and apache cannot be upgraded to an SNI-capable version there. and, aside from this issue, i am very satisfied with it)
_________________
DUMM KLICKT GUT.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum