[Bug 1095052] Re: Client certificate authentication fails

Mon Apr 22 10:50:36 UTC 2013

Hi,

We are currently facing an issue in Precise using certificate
authenticated apt repositories.  It seems that this problem with the
gnutls library is the root cause of the issue that we are seeing.
Although upgrading to a different Ubuntu release would be a solution for
us it is significantly less preferable than having it solved through a
package update in Precise.  Has there been any further progress in
rebasing the patch on top of the security update?

Thanks,
James

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1095052

Title:
  Client certificate authentication fails

Status in “gnutls26” package in Ubuntu:
  Fix Released
Status in “gnutls26” source package in Precise:
  In Progress
Status in “gnutls26” source package in Quantal:
  Fix Released

Bug description:
  [Impact]:

  Applications that are linked to gnutls26 and use client certificate
  authentication do not work, i personally know of apt-transport-https,
  gnutls-cli and subversion (#1020591) But any application linked to
  this library will possible have the same issue

  Apt repositories that use client certificate authentication do not
  work you get the error.

  "GnuTLS error: GnuTLS internal error."

  This issue was reported upstream and fixed in a version newer than the
  one shipped in precise.
  https://gitorious.org/gnutls/gnutls/commit/555766063e08fc675b88e06560f79456c4ba4f24
  I have cherry picked that fix into to the precise version

  [Test case]:

  Create a CA and certificates for use:

  openssl genrsa -aes256 -seed -out ca.key 4096
  openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
  openssl genrsa -aes256 -out client.key 4096
  openssl req -new -key client.key -out client.csr
  openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
  openssl genrsa -aes256 -out server.key 4096
  openssl req -new -key server.key -out server.csr
  openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt

  Set up a web server Nginx or Apache for SSL client certificate
  authentication

  #Nginx
  server {
          listen 443;
          root /var/www;
          index index.html index.htm;
          ssl on;
          ssl_certificate /etc/ssl/certs/server.crt;
          ssl_certificate_key /etc/ssl/certs/server.key;

          ssl_session_timeout 5m;

          ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
          ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
          ssl_prefer_server_ciphers on;
          ssl_client_certificate /etc/ssl/certs/ca.crt;
          ssl_verify_client on;
          location / {
                  try_files $uri $uri/ =404;
          }
  }

  #apache
  <IfModule mod_ssl.c>
  <VirtualHost _default_:443>
   ServerAdmin webmaster at localhost
   DocumentRoot /var/www
   <Directory />
    Options FollowSymLinks
    AllowOverride None
   </Directory>
   <Directory /var/www>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
   </Directory>
   ErrorLog ${APACHE_LOG_DIR}/error.log
   LogLevel warn
   CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
   SSLEngine on
   SSLCertificateFile    /etc/ssl/certs/server.crt
   SSLCertificateKeyFile /etc/ssl/certs/server.key
   SSLCACertificateFile /etc/ssl/certs/ca.crt
   SSLVerifyClient require
   SSLVerifyDepth  10
  </VirtualHost>
  </IfModule>

  Test Case1
  =========

  Then test using gnutls-cli linked to the gnutls26 package

  gnutls-cli --x509cafile ca.crt --x509keyfile client.key --x509certfile
  client.crt server_ip_addresss -V

  Processed 1 CA certificate(s).
  Processed 1 CRL(s).
  Processed 1 client certificates...
  Processed 1 client X.509 certificates...
  Resolving 'ubuntu.home.topdog-software.com'...
  Connecting to '192.168.1.12:443'...
  - Server's trusted authorities:
     [0]: C=ZA,ST=Gauteng,L=Johannesburg,O=XXXX,OU=CA,CN=XXXX,EMAIL=info at XXXX
  *** Fatal error: GnuTLS internal error.
  *** Handshake has failed
  GnuTLS error: GnuTLS internal error.

  Test Case2
  =========

  Test apt-transport-https

  /etc/apt/apt.conf.d/00httpstest

  Acquire::https::testserver_address::CaInfo  "/etc/apt/certs/ca.crt";
  Acquire::https::testserver_address::SslCert "/etc/apt/certs/client.crt";
  Acquire::https::testserver_address::SslKey  "/etc/apt/certs/client.key";
  Debug::Acquire::https "true";

  /etc/apt/sources.list.d/test.list

  deb https://testserver_address precise/

  Then run apt-get update

  gnutls_handshake() failed: GnuTLS internal error.

  [Regression Potential]

  The patch does not cause any regressions that i can see.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1095052/+subscriptions