Custom Query (16 matches)


Show under each result:

Results (4 - 6 of 16)

1 2 3 4 5 6
Ticket Resolution Summary Owner Reporter
#5 fixed Client-side certificates not recognzied Daniel Kahn Gillmor Daniel Kahn Gillmor

imported from mantis, at 2011-10-02 macrotex wrote:

I have this configuration in Apache:

  GnuTLSEnable On
  GnuTLSCertificateFile /etc/ssl/certs/mdm-dev1-gnutls.pem
  GnuTLSKeyFile /etc/ssl/private/myserver-dev1.key
  # Client certs CA chain
  GnuTLSClientCAFile /etc/ssl/certs/ca-chain.pem
  GnuTLSExportCertificates On
  GnuTLSClientVerify ignore

  <LocationMatch /device.*/checkin>
     GnuTLSClientVerify require

I have a client going to this URL and submitting a client certificate (I know it does as I have tested this with mod_ssl and the client certificate gets passed). However, with mod_gnutls no certificate seems to get passed. In particular, the SSL_CLIENT_S_DN environment variable is empty.

#29 fixed Disabling SSL3 and TLS1.0 don't work Daniel Kahn Gillmor Frederic Massot


I tried disabling SSL3 and TLS1.0 without success.

I put the same line "GnuTLSPriorities NORMAL:!VERS-SSL3.0:!VERS-TLS1.0:+VERS-TLS1.2:+VERS-TLS1.1:!MD5" in:

  • all virtual hosts that use HTTPS,
  • the configuration of GNUTLS (/etc/apache2/mods-available/gnutls.conf),
  • the default-tls file (/etc/apache2/sites-available/default-tls) which I do not use and that is not activated,
  • the apache2.conf file.

I restarted Apache. The result is always the same SSL3 and TLS 1.0 is still active.

There is a Debian bug report:


#23 fixed enable pkcs11 for server secret key material Daniel Kahn Gillmor Daniel Kahn Gillmor

Nikos writes on-list with a good suggestion:

I was thinking ways of how a memory leakage in mod_gnutls could have prevented revealing secrets such as the server's private key, and I think that this could be "easily" doable if mod_gnutls would support pkcs11 keys (from a quick glimpse I think it doesn't yet). If it would support it, then one could use a software security module such as lsm-pkcs11 and separate the private key operations from the server process. I put "easily" on quotes because unfortunately lsm-pkcs11 seem to be a dead project and more modern modules like softhsm don't use any isolation between the key operations and the calling process.

Nevertheless, I think it would be a good feature to have.

I also think this would be a useful feature.

1 2 3 4 5 6
Note: See TracQuery for help on using queries.