[Bug 1095052] Re: Client certificate authentication fails

Wed Jan 16 15:04:28 UTC 2013

Thanks for the backports! I've uploaded a new version to precise &
quantal, but they need to get past the SRU check first.

** Changed in: gnutls26 (Ubuntu Precise)
       Status: Triaged => In Progress

** Changed in: gnutls26 (Ubuntu Precise)
     Assignee: (unassigned) => Timo Aaltonen (tjaalton)

** Changed in: gnutls26 (Ubuntu Quantal)
       Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1095052

Title:
  Client certificate authentication fails

Status in “gnutls26” package in Ubuntu:
  Fix Released
Status in “gnutls26” source package in Precise:
  In Progress
Status in “gnutls26” source package in Quantal:
  In Progress

Bug description:
  [Impact]:

  Applications that are linked to gnutls26 and use client certificate
  authentication do not work, i personally know of apt-transport-https,
  gnutls-cli and subversion (#1020591) But any application linked to
  this library will possible have the same issue

  Apt repositories that use client certificate authentication do not
  work you get the error.

  "GnuTLS error: GnuTLS internal error."

  This issue was reported upstream and fixed in a version newer than the
  one shipped in precise.
  https://gitorious.org/gnutls/gnutls/commit/555766063e08fc675b88e06560f79456c4ba4f24
  I have cherry picked that fix into to the precise version

  [Test case]:

  Create a CA and certificates for use:

  openssl genrsa -aes256 -seed -out ca.key 4096
  openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
  openssl genrsa -aes256 -out client.key 4096
  openssl req -new -key client.key -out client.csr
  openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
  openssl genrsa -aes256 -out server.key 4096
  openssl req -new -key server.key -out server.csr
  openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt

  Set up a web server Nginx or Apache for SSL client certificate
  authentication

  #Nginx
  server {
          listen 443;
          root /var/www;
          index index.html index.htm;
          ssl on;
          ssl_certificate /etc/ssl/certs/server.crt;
          ssl_certificate_key /etc/ssl/certs/server.key;

          ssl_session_timeout 5m;

          ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
          ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
          ssl_prefer_server_ciphers on;
          ssl_client_certificate /etc/ssl/certs/ca.crt;
          ssl_verify_client on;
          location / {
                  try_files $uri $uri/ =404;
          }
  }

  #apache
  <IfModule mod_ssl.c>
  <VirtualHost _default_:443>
   ServerAdmin webmaster at localhost
   DocumentRoot /var/www
   <Directory />
    Options FollowSymLinks
    AllowOverride None
   </Directory>
   <Directory /var/www>
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Order allow,deny
    allow from all
   </Directory>
   ErrorLog ${APACHE_LOG_DIR}/error.log
   LogLevel warn
   CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
   SSLEngine on
   SSLCertificateFile    /etc/ssl/certs/server.crt
   SSLCertificateKeyFile /etc/ssl/certs/server.key
   SSLCACertificateFile /etc/ssl/certs/ca.crt
   SSLVerifyClient require
   SSLVerifyDepth  10
  </VirtualHost>
  </IfModule>

  Test Case1
  =========

  Then test using gnutls-cli linked to the gnutls26 package

  gnutls-cli --x509cafile ca.crt --x509keyfile client.key --x509certfile
  client.crt server_ip_addresss -V

  Processed 1 CA certificate(s).
  Processed 1 CRL(s).
  Processed 1 client certificates...
  Processed 1 client X.509 certificates...
  Resolving 'ubuntu.home.topdog-software.com'...
  Connecting to '192.168.1.12:443'...
  - Server's trusted authorities:
     [0]: C=ZA,ST=Gauteng,L=Johannesburg,O=XXXX,OU=CA,CN=XXXX,EMAIL=info at XXXX
  *** Fatal error: GnuTLS internal error.
  *** Handshake has failed
  GnuTLS error: GnuTLS internal error.

  Test Case2
  =========

  Test apt-transport-https

  /etc/apt/apt.conf.d/00httpstest

  Acquire::https::testserver_address::CaInfo  "/etc/apt/certs/ca.crt";
  Acquire::https::testserver_address::SslCert "/etc/apt/certs/client.crt";
  Acquire::https::testserver_address::SslKey  "/etc/apt/certs/client.key";
  Debug::Acquire::https "true";

  /etc/apt/sources.list.d/test.list

  deb https://testserver_address precise/

  Then run apt-get update

  gnutls_handshake() failed: GnuTLS internal error.

  [Regression Potential]

  The patch does not cause any regressions that i can see.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1095052/+subscriptions