Comments on: SSL-enabled Name-based Apache Virtual Hosts with mod_gnutls

By: George

George — Sat, 15 Sep 2007 02:35:45 +0000

Unfortunately I would need a Gentoo ebuild of OpenSSL working with Apache 2.0 for things to work well. Dont think these ebuilds exist yet.

By: George Notaras

George Notaras — Tue, 11 Sep 2007 03:02:36 +0000

In this comment, Vasili Sviridov points to a website that uses a snapshot version of OpenSSL 0.9.9. Perhaps you could try to contact them too and ask for some info about how well that snapshot version works.

By: George

George — Sun, 09 Sep 2007 02:18:17 +0000

Tried commenting out the GnuTLSClientCAFile directive and still no dice. Wonder if there is any way to make this work without having to wait for mod_ssl 0.9.9 to be released supporting SNI?

Tried contacting the author of mod_gnutls and have not received any response.

By: George Notaras

George Notaras — Fri, 07 Sep 2007 15:06:36 +0000

Indeed. I checked the list of the root certificates in FF2 and the startcom certificate is there. From the mod_gnutls documentation:

GnuTLSClientCAFile Takes an absolute or relative path to a PEM Encoded Certificate to use as a Certificate Authority with Client Certificate Authentication.

This means that the certificate that has been specified by the GnuTLSClientCAFile directive is only used for client autrhentication via a certificate and actually not when the client enters the secure mode in the browser. Perhaps you should try commenting out this directive and see if it works.

By: George

George — Fri, 07 Sep 2007 14:19:13 +0000

It would appear according to this article that Firefox does include the Root Startcom Cert: http://www.startcom.org/?app=14&rel=22 .

By: George Notaras

George Notaras — Fri, 07 Sep 2007 04:13:32 +0000

@ Jeremy: Thanks for those links about the SNI browser support.

@George: It would work without any popups only if the root startcom certificate had been added to the list of trusted certificate authorities in the browser. I seriously doubt that firefox includes this root certificate by default. The user has to trust it first. IIRC, the same happens with certificates from cacert.org.

By: George

George — Thu, 06 Sep 2007 18:20:49 +0000

Has onyone tried using mod_gnutls in conjunction with startcom (free as in beer) certificates? I have set the GnuTLSClientCAFile directive and am still receiving an invalid certificate error in Firefox 2.0. This _should_ work without any popups whatsoever. Has anyone had any experience with this?

By: Jeremy

Jeremy — Sun, 02 Sep 2007 03:32:05 +0000

Unfortunately SNI support in browsers is limited to these:

Firefox 2, IE 7 on Vista, Opera 7.6+ and other modern browsers.

(http://weblogs.mozillazine.org/gerv/archives/2007/08/virtual_hosting_ssl_and_sni.html)

IE 6, lynx, safari and the like are not supported.

(http://wiki.cacert.org/wiki/VhostTaskForce#head-7236c4e2c9932ef42056b3ff6d367053081887de)

By: George Notaras

George Notaras — Fri, 24 Aug 2007 16:15:49 +0000

I write this for other readers who run into issues: mod_gnutls requires the httpd and gnutls development libraries in order to compile.

By: Tony Boylan

Tony Boylan — Fri, 24 Aug 2007 08:19:55 +0000

Sorry. RTFM. To Answer my own question. http://www.gnutls.org/download.html