# mod_gnutls accepts same client-cert for ALL vhosts - WHY??

## DawgG

i run an apache webserver with some vhosts and they all have their own self-signed ssl-certificate in a configuration enabled by mod_gnutls. that works well.

as a security measure i require the users' browsers to show a client-ssl-cert before they can connect. this is done with the directive 

```
GnuTLSClientVerify require
```

 in the vhost-definition and in the <directory>-directive inside the vhost-definition (this does not have a filename as an argument  - but could it take one?)

i create the client-cert like this: 

```
openssl pkcs12 -export -in vhost-1-cert.crt -inkey vhost-1-key.pem -out vhost-1-client.p12

```

 then i import it AND my ca-certificate (as root-ca) in a client-browser and this browser can connect to https://vhost-1 (w/out cert, no connection)

when i do the same thing for vhost-2 (ssl-command as above but with vhost-2-cert- and -keyfiles), the browser can also connect to vhost-1 and see all the stuff and vice-versa.

my temporary workaround is to use apache basic-auth over ssl which is still considered quite secure but i want to know why my intended config does not work the way it is described and is supposed to.

what is going on? am i missing something? is the client-cert created the wrong way?

(i have to use mod_gnutls since this is a hosted server and apache cannot be upgraded to an SNI-capable version there. and, aside from this issue, i am very satisfied with it)

----------

