Within my research of using mod_gnutls with client certificates of one of my servers I’ve found a serious bug.
I’m using at first this configuration in my virtual host configuration on apache:
GnuTLSEnable on GnuTLSPriorities [...] GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert GnuTLSKeyFile /etc/apache2/ssl/webserver.key GnuTLSExportCertificates on GnuTLSClientVerify require GnuTLSClientCAFile /etc/apache2/ssl/trusted.cas.asc
Everything works fine. I see the certificate dialog when I access the virtual host. It seems to work out of the box.
But when I use another client certificate, which wasn’t subscribed by the CAs listed in GnuTLSClientCAFile, I was able to log in as well. Sometimes I have to resubmit the wrong certificate sometimes it works on the first hit.
After testing and looking into the sourcecode I found out that the hook
ap_hook_access_checker(mgs_hook_authz, NULL, NULL, APR_HOOK_REALLY_FIRST);
works correctly. That means mgs_hook_authz returns a 403 on the wrong certificate. But it has no effect.
After looking around in the internet I’ve found this post. It describes exactly this behaviour.
Based on this description I’ve added a <Location /> to my virtual host configuration:
GnuTLSEnable on GnuTLSPriorities [...] GnuTLSCertificateFile /etc/apache2/ssl/webserver.cert GnuTLSKeyFile /etc/apache2/ssl/webserver.key GnuTLSExportCertificates on GnuTLSClientVerify require GnuTLSClientCAFile /etc/apache2/ssl/trusted.cas.asc <Location /> GnuTLSClientVerify require </Location>
With that it works properly.
The wrong behaviour of mod_gnutls/apache is a danger, because the most people didn’t test with a wrong certificate and as such they feel secure.