[Bug 1095052] [NEW] Client certificate authentication fails

Launchpad Bug Tracker 1095052 at bugs.launchpad.net
Mon Jan 7 17:09:06 UTC 2013 

You have been subscribed to a public bug by Brian Murray (brian-murray):

[Impact]:

Applications that are linked to gnutls26 and use client certificate
authentication do not work, i personally know of apt-transport-https,
gnutls-cli and subversion (#1020591) But any application linked to this
library will possible have the same issue

Apt repositories that use client certificate authentication do not work
you get the error.

"GnuTLS error: GnuTLS internal error."

This issue was reported upstream and fixed in a version newer than the
one shipped in precise.
https://gitorious.org/gnutls/gnutls/commit/555766063e08fc675b88e06560f79456c4ba4f24
I have cherry picked that fix into to the precise version

[Test case]:

Create a CA and certificates for use:

openssl genrsa -aes256 -seed -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl genrsa -aes256 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl genrsa -aes256 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt

Set up a web server Nginx or Apache for SSL client certificate
authentication

#Nginx
server {
        listen 443;
        root /var/www;
        index index.html index.htm;
        ssl on;
        ssl_certificate /etc/ssl/certs/server.crt;
        ssl_certificate_key /etc/ssl/certs/server.key;

        ssl_session_timeout 5m;

        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
        ssl_prefer_server_ciphers on;
        ssl_client_certificate /etc/ssl/certs/ca.crt;
        ssl_verify_client on;
        location / {
                try_files $uri $uri/ =404;
        }
}

#apache
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
 ServerAdmin webmaster at localhost
 DocumentRoot /var/www
 <Directory />
  Options FollowSymLinks
  AllowOverride None
 </Directory>
 <Directory /var/www>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride None
  Order allow,deny
  allow from all
 </Directory>
 ErrorLog ${APACHE_LOG_DIR}/error.log
 LogLevel warn
 CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
 SSLEngine on
 SSLCertificateFile    /etc/ssl/certs/server.crt
 SSLCertificateKeyFile /etc/ssl/certs/server.key
 SSLCACertificateFile /etc/ssl/certs/ca.crt
 SSLVerifyClient require
 SSLVerifyDepth  10
</VirtualHost>
</IfModule>

Test Case1
=========

Then test using gnutls-cli linked to the gnutls26 package

gnutls-cli --x509cafile ca.crt --x509keyfile client.key --x509certfile
client.crt server_ip_addresss -V

Processed 1 CA certificate(s).
Processed 1 CRL(s).
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving 'ubuntu.home.topdog-software.com'...
Connecting to '192.168.1.12:443'...
- Server's trusted authorities:
   [0]: C=ZA,ST=Gauteng,L=Johannesburg,O=XXXX,OU=CA,CN=XXXX,EMAIL=info at XXXX
*** Fatal error: GnuTLS internal error.
*** Handshake has failed
GnuTLS error: GnuTLS internal error.

Test Case2
=========

Test apt-transport-https

/etc/apt/apt.conf.d/00httpstest

Acquire::https::testserver_address::CaInfo  "/etc/apt/certs/ca.crt";
Acquire::https::testserver_address::SslCert "/etc/apt/certs/client.crt";
Acquire::https::testserver_address::SslKey  "/etc/apt/certs/client.key";
Debug::Acquire::https "true";

/etc/apt/sources.list.d/test.list

deb https://testserver_address precise/

Then run apt-get update

gnutls_handshake() failed: GnuTLS internal error.

[Regression Potential]

The patch does not cause any regressions that i can see.

** Affects: gnutls26 (Ubuntu)
     Importance: Medium
         Status: Fix Released

** Affects: gnutls26 (Ubuntu Precise)
     Importance: Medium
         Status: Triaged

** Affects: gnutls26 (Ubuntu Quantal)
     Importance: Medium
         Status: Triaged


** Tags: gnutls25 lts precise ubuntu-sru
-- 
Client certificate authentication fails
https://bugs.launchpad.net/bugs/1095052
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list