Client certificate authentication fails
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gnutls26 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Timo Aaltonen | ||
Quantal |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]:
Applications that are linked to gnutls26 and use client certificate authentication do not work, i personally know of apt-transport-
Apt repositories that use client certificate authentication do not work you get the error.
"GnuTLS error: GnuTLS internal error."
This issue was reported upstream and fixed in a version newer than the one shipped in precise. https:/
[Test case]:
Create a CA and certificates for use:
openssl genrsa -aes256 -seed -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl genrsa -aes256 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl genrsa -aes256 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt
Set up a web server Nginx or Apache for SSL client certificate authentication
#Nginx
server {
listen 443;
root /var/www;
index index.html index.htm;
ssl on;
ssl_ciphers ALL:!ADH:
location / {
}
}
#apache
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog ${APACHE_
LogLevel warn
CustomLog ${APACHE_
SSLEngine on
SSLCertificateFile /etc/ssl/
SSLCertificate
SSLCACertifica
SSLVerifyClient require
SSLVerifyDepth 10
</VirtualHost>
</IfModule>
Test Case1
=========
Then test using gnutls-cli linked to the gnutls26 package
gnutls-cli --x509cafile ca.crt --x509keyfile client.key --x509certfile client.crt server_ip_addresss -V
Processed 1 CA certificate(s).
Processed 1 CRL(s).
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving 'ubuntu.
Connecting to '192.168.
- Server's trusted authorities:
[0]: C=ZA,ST=
*** Fatal error: GnuTLS internal error.
*** Handshake has failed
GnuTLS error: GnuTLS internal error.
Test Case2
=========
Test apt-transport-https
/etc/apt/
Acquire:
Acquire:
Acquire:
Debug::
/etc/apt/
deb https:/
Then run apt-get update
gnutls_handshake() failed: GnuTLS internal error.
[Regression Potential]
The patch does not cause any regressions that i can see.
description: | updated |
tags: |
added: verification-done-precise removed: verification-needed |
This also needs fixing in Quantal.