client certificates issue with mod_gnutls and apache

Within my research of using mod_gnutls with client certificates of one of my servers I’ve found a serious bug.

I’m using at first this configuration in my virtual host configuration on apache:

GnuTLSEnable on
GnuTLSPriorities [...]
GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert
GnuTLSKeyFile /etc/apache2/ssl/webserver.key
GnuTLSExportCertificates on
GnuTLSClientVerify require
GnuTLSClientCAFile /etc/apache2/ssl/trusted.cas.asc

Everything works fine. I see the certificate dialog when I access the virtual host. It seems to work out of the box.

But when I use another client certificate, which wasn’t subscribed by the CAs listed in GnuTLSClientCAFile, I was able to log in as well. Sometimes I have to resubmit the wrong certificate sometimes it works on the first hit.

After testing and looking into the sourcecode I found out that the hook

ap_hook_access_checker(mgs_hook_authz, NULL, NULL, APR_HOOK_REALLY_FIRST);

works correctly. That means mgs_hook_authz returns a 403 on the wrong certificate. But it has no effect.

After looking around in the internet I’ve found this post.  It describes exactly this behaviour.

Based on this description I’ve added a <Location /> to my virtual host configuration:

GnuTLSEnable on
GnuTLSPriorities [...]
GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert
GnuTLSKeyFile /etc/apache2/ssl/webserver.key
GnuTLSExportCertificates on
GnuTLSClientVerify require
GnuTLSClientCAFile /etc/apache2/ssl/trusted.cas.asc

<Location />
GnuTLSClientVerify require
</Location>

With that it works properly.

The wrong behaviour of mod_gnutls/apache is a danger, because the most people didn’t test with a wrong certificate and as such they feel secure.

I’ve tested this on ubuntu 12.04.4 and 14.04 with the included mod_gnutls and with the stable mod_gnutls (0.6) from their website.

Posted in certificates, gnutls, linux, Security, Security, Uncategorized | Tagged , , , , , , | 2 Comments

Maven: maven and scala

While I was starting a new project I decided to use scala for it. It was a small webapplication so I wanted to use maven as a build-tool for it. After googling I’ve found Maven For Beginners | The Scala Programming Language. But the information on this site aren’t correct anymore.
Continue reading

Posted in Maven, Scala, Tools | Leave a comment

Maven: Mixed Projects with Java and Scala

Playing around with maven, scala and java I’ve found it useful to have both, java and scala, in one project. After searching for a while I’ve found several sources which helped me solving this point. Continue reading

Posted in Java, Maven, Scala, Uncategorized | Leave a comment

Netbeans and Glassfish remote deployments

Using Netbeans together with GlassFish works like a charm. Especially when using the preconfigured GlassFish. There is one point which isn’t mentioned often: You can also work with an remote GlassFish. Continue reading

Posted in Glassfish, Java, JavaEE, Netbeans | Leave a comment

JAAS & JBoss: Client Authentication

This is the second part of my articles about JBoss Security. The first part of this series shows how to configure a JBossAS to use security in the beans and how to connect them from a remote client using RMI. Continue reading

Posted in Java, JBoss, Security | Leave a comment

JAAS & JBoss: Authentication

Currently I’m working on a project which uses the authentication in JBoss. I would say that’s not a very large project but it’s not an hello-world-project. In this project I was confronted with some issues. The most problematic is that there isn’t much documentation in the web which covers the issues beyond a standard JAAS Authentication.  I mean such points as: securing an Queue, Topic, Service, how to connect to these from an messagedriven- or sessionbean (and of course: what works and what doesn’t). Based upon these experiences I thought of a small series of articles which might help others. To make a long story short – here is the first part:

Continue reading

Posted in Java, JBoss, Security | Tagged , , , , , , , | 1 Comment

Clean-install of Liferay Portal Community Edition

The clean install of Liferay Portal Community Edition (V. 5.2.3) is fairly straight forward.

At first you’ll need the portal. You can obtain it for free from the liferay-website. There you’ll find two versions on the download page: The Enterprise Edition and the Community Edition. For this tutorial I’ll use the community edition.

After downloading the edition you’ll extract it to your favorite place.

When extracted you’ll find a liferay folder and within this folder you’ll find a tomcat folder. Within the webapps folder of the tomcat directory are two webapps: sevencogs-hook and sevencogs-theme. These both should be deleted. They belong to the demo-data which we didn’t want to install.

After removing these webapps you’ll change to the WEB-INF/classes of the ROOT webapp. Which is also located in the webapps folder of the tomcat. Within this folder you should create an portal-ext.properties. And fill it with these settings:

jdbc.default.driverClassName=com.mysql.jdbc.Driver
jdbc.default.url=jdbc:mysql://localhost/liferay?useUnicode=true&characterEncoding=UTF-8&useFastDateParsing=false
jdbc.default.username=liferay
jdbc.default.password=<password>
schema.run.enabled=true
schema.run.minimal=true

The first four lines define the database connection. The mentioned database and (of course) the user have to be created before starting the portal. Please adjust the database-settings for your needs. That means change databasename, host, username, password, etc. to the values you’ve got on your platform.

The last two lines are settings for the portal. The first activates the schema generation (tables etc. should be created) and the second is the setting which tells the portal only to insert only the minimal data for the portal. This setting set to true avoids that the demo-data is inserted in the database.

Now, that everything is done, you can start the portal using the startup script in the tomcat-<version>/bin/ directory.

After starting you can sign in using the default user/pass of liferay. Now you’ve got a clean installation of the “Liferay Portal Community Edition”.

Posted in Frameworks, Java, Liferay, Portal | Tagged , , , , , | Leave a comment

Copying objects recursively

Dozer is a javabean to javabean mapper which recursively copies data from one object to another. Which is great if you have mappings from hibernate and want to “convert” the object to an dto..

Posted in Java, Tools | Leave a comment