[Bug 1095052] [NEW] Client certificate authentication fails
Andrew Colin Kissa
1095052 at bugs.launchpad.net
Tue Jan 1 14:29:45 UTC 2013
Public bug reported:
[Impact]:
Applications that are linked to gnutls26 and use client certificate
authentication do not work, i personally know of apt-transport-https,
gnutls-cli and subversion (#1020591) But any application linked to this
library will possible have the same issue
Apt repositories that use client certificate authentication do not work
you get the error.
This issue was reported upstream and fixed in a version newer than the
one shipped in precise.
https://gitorious.org/gnutls/gnutls/commit/555766063e08fc675b88e06560f79456c4ba4f24
I have back ported that fix to the precise version
"GnuTLS error: GnuTLS internal error."
[Test case]:
Create a CA and certificates for use:
openssl genrsa -aes256 -seed -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl genrsa -aes256 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl genrsa -aes256 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt
Set up a web server Nginx or Apache for SSL client certificate
authentication
#Nginx
server {
listen 443;
root /var/www;
index index.html index.htm;
ssl on;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
ssl_client_certificate /etc/ssl/certs/ca.crt;
ssl_verify_client on;
location / {
try_files $uri $uri/ =404;
}
}
#apache
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster at localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/certs/server.key
SSLCACertificateFile /etc/ssl/certs/ca.crt
SSLVerifyClient require
SSLVerifyDepth 10
</VirtualHost>
</IfModule>
Test Case1
=========
Then test using gnutls-cli linked to the gnutls26 package
gnutls-cli --x509cafile ca.crt --x509keyfile client.key --x509certfile
client.crt server_ip_addresss -V
Processed 1 CA certificate(s).
Processed 1 CRL(s).
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving 'ubuntu.home.topdog-software.com'...
Connecting to '192.168.1.12:443'...
- Server's trusted authorities:
[0]: C=ZA,ST=Gauteng,L=Johannesburg,O=XXXX,OU=CA,CN=XXXX,EMAIL=info at XXXX
*** Fatal error: GnuTLS internal error.
*** Handshake has failed
GnuTLS error: GnuTLS internal error.
Test Case2
=========
Test apt-transport-https
/etc/apt/apt.conf.d/00httpstest
Acquire::https::testserver_address::CaInfo "/etc/apt/certs/ca.crt";
Acquire::https::testserver_address::SslCert "/etc/apt/certs/client.crt";
Acquire::https::testserver_address::SslKey "/etc/apt/certs/client.key";
Debug::Acquire::https "true";
/etc/apt/sources.list.d/test.list
deb https://testserver_address precise/
Then run apt-get update
gnutls_handshake() failed: GnuTLS internal error.
[Regression Potential]
The patch does not cause any regressions that i can see.
** Affects: gnutls26 (Ubuntu)
Importance: Undecided
Status: New
** Tags: gnutls25 lts precise ubuntu-sru
** Patch added: "Upsteam fix backported to the precise version"
https://bugs.launchpad.net/bugs/1095052/+attachment/3471958/+files/gnutls26_2.12.14-5ubuntu3.2.debdiff
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1095052
Title:
Client certificate authentication fails
Status in “gnutls26” package in Ubuntu:
New
Bug description:
[Impact]:
Applications that are linked to gnutls26 and use client certificate
authentication do not work, i personally know of apt-transport-https,
gnutls-cli and subversion (#1020591) But any application linked to
this library will possible have the same issue
Apt repositories that use client certificate authentication do not
work you get the error.
This issue was reported upstream and fixed in a version newer than the
one shipped in precise.
https://gitorious.org/gnutls/gnutls/commit/555766063e08fc675b88e06560f79456c4ba4f24
I have back ported that fix to the precise version
"GnuTLS error: GnuTLS internal error."
[Test case]:
Create a CA and certificates for use:
openssl genrsa -aes256 -seed -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl genrsa -aes256 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl genrsa -aes256 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt
Set up a web server Nginx or Apache for SSL client certificate
authentication
#Nginx
server {
listen 443;
root /var/www;
index index.html index.htm;
ssl on;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
ssl_client_certificate /etc/ssl/certs/ca.crt;
ssl_verify_client on;
location / {
try_files $uri $uri/ =404;
}
}
#apache
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster at localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/certs/server.key
SSLCACertificateFile /etc/ssl/certs/ca.crt
SSLVerifyClient require
SSLVerifyDepth 10
</VirtualHost>
</IfModule>
Test Case1
=========
Then test using gnutls-cli linked to the gnutls26 package
gnutls-cli --x509cafile ca.crt --x509keyfile client.key --x509certfile
client.crt server_ip_addresss -V
Processed 1 CA certificate(s).
Processed 1 CRL(s).
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving 'ubuntu.home.topdog-software.com'...
Connecting to '192.168.1.12:443'...
- Server's trusted authorities:
[0]: C=ZA,ST=Gauteng,L=Johannesburg,O=XXXX,OU=CA,CN=XXXX,EMAIL=info at XXXX
*** Fatal error: GnuTLS internal error.
*** Handshake has failed
GnuTLS error: GnuTLS internal error.
Test Case2
=========
Test apt-transport-https
/etc/apt/apt.conf.d/00httpstest
Acquire::https::testserver_address::CaInfo "/etc/apt/certs/ca.crt";
Acquire::https::testserver_address::SslCert "/etc/apt/certs/client.crt";
Acquire::https::testserver_address::SslKey "/etc/apt/certs/client.key";
Debug::Acquire::https "true";
/etc/apt/sources.list.d/test.list
deb https://testserver_address precise/
Then run apt-get update
gnutls_handshake() failed: GnuTLS internal error.
[Regression Potential]
The patch does not cause any regressions that i can see.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1095052/+subscriptions
More information about the foundations-bugs
mailing list