[modgnutls-support] Using client cert auth in directory context

[Kamenik, A. <ale...@kr...>]

I'm trying to setup client certificate auth on a server for a sub directory.

The root dir is currently also htpasswd and/or IP procteted during development.

<Directory "/srv/www/vhosts/rootdir">
    Options SymLinksifOwnerMatch
    AllowOverride AuthConfig
    AuthUserFile /srv/www/vhosts/demo.passwd
    AuthType Basic
    AuthName "demo"
    Require valid-user
    Order allow,deny
    Allow from 192.168
    Satisfy any
</Directory>

<Directory "/srv/www/vhosts/rootdir/subdir">
    GnuTLSClientVerify request
</Directory>

First, GnuTLSClientVerify does not work. I'm not asked to choose a certificate with any browser and SSL_CLIENT_VERIFY always reports NONE. It works when I put it in the Virtual Host context, but not in the directory context.

Second, when I change "request" to "require" I'm presented with the user+passwd dialog, as if I'm not connecting from the allowed IP range anymore. After entering correct credentials I still get NONE. I tried removing all the auths from the rootdir, client auth in subdir still didn't work.

Third, Firefox says "SSL peer was unable to negotiate an acceptable set of security parameters. (Error code: ssl_error_handshake_failure_alert)" on the first request to host/subdir, refreshing however fixes the issue (I see my empty index.php). ctrl+shift+r however produces the error again. Other browser don't have this issue. Tested with Firefox on Linux and Windows.

What am I missing?

Regards,

Aleksander Kamenik
System Administrator
Krediidiinfo AS
an Experian Company
Phone: +372 665 9649
Email: ale...@kr...