[Bug 1095052] Re: Client certificate authentication fails
Andrew Colin Kissa
1095052 at bugs.launchpad.net
Mon Jan 7 16:48:23 UTC 2013
** Description changed:
[Impact]:
Applications that are linked to gnutls26 and use client certificate
authentication do not work, i personally know of apt-transport-https,
gnutls-cli and subversion (#1020591) But any application linked to this
library will possible have the same issue
Apt repositories that use client certificate authentication do not work
you get the error.
+ "GnuTLS error: GnuTLS internal error."
+
This issue was reported upstream and fixed in a version newer than the
one shipped in precise.
https://gitorious.org/gnutls/gnutls/commit/555766063e08fc675b88e06560f79456c4ba4f24
- I have back ported that fix to the precise version
-
- "GnuTLS error: GnuTLS internal error."
+ I have cherry picked that fix into to the precise version
[Test case]:
Create a CA and certificates for use:
-
openssl genrsa -aes256 -seed -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl genrsa -aes256 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl genrsa -aes256 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt
Set up a web server Nginx or Apache for SSL client certificate
authentication
#Nginx
server {
- listen 443;
- root /var/www;
- index index.html index.htm;
- ssl on;
- ssl_certificate /etc/ssl/certs/server.crt;
- ssl_certificate_key /etc/ssl/certs/server.key;
+ listen 443;
+ root /var/www;
+ index index.html index.htm;
+ ssl on;
+ ssl_certificate /etc/ssl/certs/server.crt;
+ ssl_certificate_key /etc/ssl/certs/server.key;
- ssl_session_timeout 5m;
+ ssl_session_timeout 5m;
- ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
- ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
- ssl_prefer_server_ciphers on;
- ssl_client_certificate /etc/ssl/certs/ca.crt;
- ssl_verify_client on;
- location / {
- try_files $uri $uri/ =404;
- }
+ ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
+ ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
+ ssl_prefer_server_ciphers on;
+ ssl_client_certificate /etc/ssl/certs/ca.crt;
+ ssl_verify_client on;
+ location / {
+ try_files $uri $uri/ =404;
+ }
}
#apache
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
- ServerAdmin webmaster at localhost
- DocumentRoot /var/www
- <Directory />
- Options FollowSymLinks
- AllowOverride None
- </Directory>
- <Directory /var/www>
- Options Indexes FollowSymLinks MultiViews
- AllowOverride None
- Order allow,deny
- allow from all
- </Directory>
- ErrorLog ${APACHE_LOG_DIR}/error.log
- LogLevel warn
- CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
- SSLEngine on
- SSLCertificateFile /etc/ssl/certs/server.crt
- SSLCertificateKeyFile /etc/ssl/certs/server.key
- SSLCACertificateFile /etc/ssl/certs/ca.crt
- SSLVerifyClient require
- SSLVerifyDepth 10
+ ServerAdmin webmaster at localhost
+ DocumentRoot /var/www
+ <Directory />
+ Options FollowSymLinks
+ AllowOverride None
+ </Directory>
+ <Directory /var/www>
+ Options Indexes FollowSymLinks MultiViews
+ AllowOverride None
+ Order allow,deny
+ allow from all
+ </Directory>
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ LogLevel warn
+ CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
+ SSLEngine on
+ SSLCertificateFile /etc/ssl/certs/server.crt
+ SSLCertificateKeyFile /etc/ssl/certs/server.key
+ SSLCACertificateFile /etc/ssl/certs/ca.crt
+ SSLVerifyClient require
+ SSLVerifyDepth 10
</VirtualHost>
</IfModule>
Test Case1
=========
Then test using gnutls-cli linked to the gnutls26 package
gnutls-cli --x509cafile ca.crt --x509keyfile client.key --x509certfile
client.crt server_ip_addresss -V
Processed 1 CA certificate(s).
Processed 1 CRL(s).
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving 'ubuntu.home.topdog-software.com'...
Connecting to '192.168.1.12:443'...
- Server's trusted authorities:
- [0]: C=ZA,ST=Gauteng,L=Johannesburg,O=XXXX,OU=CA,CN=XXXX,EMAIL=info at XXXX
+ [0]: C=ZA,ST=Gauteng,L=Johannesburg,O=XXXX,OU=CA,CN=XXXX,EMAIL=info at XXXX
*** Fatal error: GnuTLS internal error.
*** Handshake has failed
GnuTLS error: GnuTLS internal error.
Test Case2
=========
Test apt-transport-https
/etc/apt/apt.conf.d/00httpstest
Acquire::https::testserver_address::CaInfo "/etc/apt/certs/ca.crt";
Acquire::https::testserver_address::SslCert "/etc/apt/certs/client.crt";
Acquire::https::testserver_address::SslKey "/etc/apt/certs/client.key";
Debug::Acquire::https "true";
/etc/apt/sources.list.d/test.list
deb https://testserver_address precise/
Then run apt-get update
gnutls_handshake() failed: GnuTLS internal error.
[Regression Potential]
The patch does not cause any regressions that i can see.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gnutls26 in Ubuntu.
https://bugs.launchpad.net/bugs/1095052
Title:
Client certificate authentication fails
Status in “gnutls26” package in Ubuntu:
New
Bug description:
[Impact]:
Applications that are linked to gnutls26 and use client certificate
authentication do not work, i personally know of apt-transport-https,
gnutls-cli and subversion (#1020591) But any application linked to
this library will possible have the same issue
Apt repositories that use client certificate authentication do not
work you get the error.
"GnuTLS error: GnuTLS internal error."
This issue was reported upstream and fixed in a version newer than the
one shipped in precise.
https://gitorious.org/gnutls/gnutls/commit/555766063e08fc675b88e06560f79456c4ba4f24
I have cherry picked that fix into to the precise version
[Test case]:
Create a CA and certificates for use:
openssl genrsa -aes256 -seed -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl genrsa -aes256 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl genrsa -aes256 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt
Set up a web server Nginx or Apache for SSL client certificate
authentication
#Nginx
server {
listen 443;
root /var/www;
index index.html index.htm;
ssl on;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/certs/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;
ssl_client_certificate /etc/ssl/certs/ca.crt;
ssl_verify_client on;
location / {
try_files $uri $uri/ =404;
}
}
#apache
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster at localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/certs/server.key
SSLCACertificateFile /etc/ssl/certs/ca.crt
SSLVerifyClient require
SSLVerifyDepth 10
</VirtualHost>
</IfModule>
Test Case1
=========
Then test using gnutls-cli linked to the gnutls26 package
gnutls-cli --x509cafile ca.crt --x509keyfile client.key --x509certfile
client.crt server_ip_addresss -V
Processed 1 CA certificate(s).
Processed 1 CRL(s).
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving 'ubuntu.home.topdog-software.com'...
Connecting to '192.168.1.12:443'...
- Server's trusted authorities:
[0]: C=ZA,ST=Gauteng,L=Johannesburg,O=XXXX,OU=CA,CN=XXXX,EMAIL=info at XXXX
*** Fatal error: GnuTLS internal error.
*** Handshake has failed
GnuTLS error: GnuTLS internal error.
Test Case2
=========
Test apt-transport-https
/etc/apt/apt.conf.d/00httpstest
Acquire::https::testserver_address::CaInfo "/etc/apt/certs/ca.crt";
Acquire::https::testserver_address::SslCert "/etc/apt/certs/client.crt";
Acquire::https::testserver_address::SslKey "/etc/apt/certs/client.key";
Debug::Acquire::https "true";
/etc/apt/sources.list.d/test.list
deb https://testserver_address precise/
Then run apt-get update
gnutls_handshake() failed: GnuTLS internal error.
[Regression Potential]
The patch does not cause any regressions that i can see.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1095052/+subscriptions
More information about the foundations-bugs
mailing list