GNUTLSClientVerify does not block unrecognized CAs

Question

I have installed Apache on Ubuntu, installed GNUTLS module and everything worked fine:

root@ilnwad15:~# apache2 -v
Server version: Apache/2.2.22 (Ubuntu)
Server built:   Jul 12 2013 13:37:15

Now, I want that on port 1443, if the CA of the client certificate is not the CA on my server, then it will be blocked.

That's how I configured it on /etc/apache2/apache2.conf

Listen *:443
Listen *:1443
<VirtualHost *:443>
    GnuTLSEnable on
    GnuTLSKeyFile  /etc/apache2/certs/ilnwad15.tlv.sap.corp.key
    GnuTLSCertificateFile  /etc/apache2/certs/ilnwad15.tlv.sap.corp.crt
    DocumentRoot /disk2/var/www/html
    GnuTLSPriorities EXPORT
    ServerName      ilnwad15
</VirtualHost>

<VirtualHost *:1443>
    GnuTLSEnable on
    GnuTLSKeyFile /etc/apache2/certs/ilnwad15.tlv.sap.corp.key
    GnuTLSCertificateFile /etc/apache2/certs/ilnwad15.tlv.sap.corp.crt
    GnuTLSPriorities EXPORT
    GnuTLSClientCAFile /etc/apache2/certs/ca.pem
    GNUTLSClientVerify require
    DocumentRoot /disk2/var/www/html
    ServerName ilnwad15
</VirtualHost>

What it does now is, when sending a request with no certificate, getting internal error.

[root@ilnwadv56 ~]# wget --save-headers --no-check-certificate HTTPs://ilnwad15.tlv.sap.corp:1443
--2013-12-18 17:23:01--  https://ilnwad15.tlv.sap.corp:1443/
Resolving ilnwadv62... 172.16.162.21
Connecting to ilnwadv62|172.16.162.21|:18080... connected.
WARNING: cannot verify ilnwad15.tlv.sap.corp's certificate, issued by `/C=IL/L=Raanana/O=SAP/OU=AccAD/CN=Dummy device':
Unable to locally verify the issuer's authority.
WARNING: certificate common name `dummy.service.com' doesn't match requested host name `ilnwad15.tlv.sap.corp'.
Proxy request sent, awaiting response... 500 Server Error
2013-12-18 17:23:01 ERROR 500: Server Error.

However, when the request has a certificate that its CA doesn't match the server CA, I get 200 OK from Internet Explorer and no 403 Forbidden. When doing so from wget I am getting the failed: Service Unavailable to establish SSL connection.

[root@ilnwadv56 ~]# wget --save-headers --no-check-certificate --certificate=/sapmnt/accad/other/client.crt --private-key=/sapmnt/accad/other/client.key HTTPs://ilnwad15.tlv.sap.corp:443
--2013-12-18 17:46:17--  https://ilnwad15.tlv.sap.corp/
Resolving ilnwadv62... 172.16.162.21
Connecting to ilnwadv62|172.16.162.21|:18080... connected.
Proxy tunneling failed: Service UnavailableUnable to establish SSL connection.

Does anyone have an idea where is my mistake? Thanks in advance.

Pretty well-written and sane question, +1 from me. However, could you improve it just that last little bit by including an example of getting a 200 OK when using an obviously unsigned certificate, as you say you do in your last substantive para? — MadHatter, Dec 18 '13 at 15:30
Hi @MadHatter, I have edited the message. Please, let me know if I am missing any detail. I am more than happy to give further explanations. :D — boaz_shuster, Dec 18 '13 at 16:00
Thanks for the edit. Everything in your question refers to the service on port 1443, **except** that last `wget` edit, which uses straight 443. I'm beginning to think there's some confusion in your question. Could you overhaul it into a format where you tell us what you're trying to achieve, what you do, and what you expect to see, then **show** us what you actually do, and point out how it's different? — MadHatter, Dec 18 '13 at 16:01

score 0 · Accepted Answer · answered Dec 22 '13 at 08:50

OK, first of all, thanks for everyone, who has tried to help (especially to @MadHatter). The problem was that I have used a proxy so I had to unset https_proxy and the problem got resolved.

Right now, it works correctly. When sending a dummy certificate (by not giving any certificate through wget)

wget --save-headers --no-check-certificate HTTPS://ilnwad15.tlv.sap.corp:1443
--2013-12-22 10:37:02--  https://ilnwad15.tlv.sap.corp:1443/
Resolving ilnwad15.tlv.sap.corp... 172.16.60.21
Connecting to ilnwad15.tlv.sap.corp|172.16.60.21|:1443... connected.
OpenSSL: error:1409442F:SSL routines:SSL3_READ_BYTES:tlsv1 alert insufficient security
Unable to establish SSL connection.

When giving a correct certificate.

wget --save-headers --certificate=/sapmnt/accad/other/ilnwad15.tlv.sap.corp.crt --private-key=/sapmnt/accad/other/ilnwad15.tlv.sap.corp.key --no-check-certificate HTTPS://ilnwad15.tlv.sap.corp:1443
--2013-12-22 10:33:59--  https://ilnwad15.tlv.sap.corp:1443/
Resolving ilnwad15.tlv.sap.corp... 172.16.60.21
Connecting to ilnwad15.tlv.sap.corp|172.16.60.21|:1443... connected.
WARNING: cannot verify ilnwad15.tlv.sap.corp's certificate, issued by /C=IL/ST=Central District/L=Raanana/O=SAP AG/OU=AccAD/CN=AccAD CA/emailAddress=test@test.test:
Unable to locally verify the issuer's authority.
HTTP request sent, awaiting response... 200 OK
Length: 4598 (4.5K) [text/html]
Saving to: `index.html'

100%[======================================>] 4,598       --.-K/s   in 0s      

2013-12-22 10:33:59 (38.5 MB/s) - `index.html' saved [4598/4598]

Thanks! :D

GNUTLSClientVerify does not block unrecognized CAs

1 Answers1