Your message dated Fri, 02 Jan 2015 12:40:16 +0000
with message-id <[email protected]>
and subject line Bug#767610: Removed package(s) from unstable
has caused the Debian Bug report #560690,
regarding gnutls26: Handle client certificate files with included ca
certificates more gracefully
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
560690: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560690
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gnutls26
Severity: wishlist
Hi!
It hased caused me much confusion that gnutls does not handle client
certificates well, if they contain ca certificates together with the
client cert and key (at least that seems to be the case if the ca
certificate are listed *before* the client cert).
(You can see much of the resulting confusion as well as the discovery
of the real cause in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530510 )
In particular,
,----
gnutls-cli --print-cert --verbose -p 4711 --x509certfile \
/home/user/secret/organisation-user.pem -p 443 \
intern.organisation.org \
--x509keyfile /home/user/secret/organisation-user.pem
`----
Fails with a key usage violation error if organisation-user.pem
contains the ca certificates before the client cert.
Unfortunately, some CAs generate client certs like this (i.e. first
key, then the certs in order of the chain, i.e. first the root-ca and
client-ca certs, then the client cert) and firefox and openssl export
them in the same order. Also openssl handles that case gracefully.
The pkcs12 manpage (from openssl) even states:
,----[ manual page pkcs12(1) ]
If none of the -clcerts, -cacerts or -nocerts options are
present then all certificates will be output in the order
they appear in the input PKCS#12 files. There is no
guarantee that the first certificate present is the one
corresponding to the private key. Certain software which
requires a private key and certificate and assumes the first
certificate in the file is the one corresponding to the
private key: this may not always be the case. Using the
-clcerts option will solve this problem by only outputting
the certificate corresponding to the private key. If the CA
certificates are required then they can be output to a
separate file using the -nokeys -cacerts options to just
output CA certificates.
`----
Which was quite helpful once I discovered why it didn't work.
Unfortunately I could not find any reference to this behaviour in the
gnutls documentation. Also the error message "key usage violation
error" doesn't help a lot.
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530510 documents we
looked at the key usage bits in the client and server certs first,
which were all correct.)
In order of preference, I'd like one or all of the following resolutions:
- If the certificate doesn't fit the key, try another one in the same
file.
- "key usage violation error" could output some information about
which certificate it actually tried to use. (Which would give a
hint that it tried to use a CA cert.)
- Document in a prominent place that gnutls does not support
client certificate files with CA certificates in them. (Sorry if I
simply overlooked it.)
Should 530510 be closed or merged with this wishlist bug?
Kind regards
Friedel
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-2-amd64 (SMP w/1 CPU core)
Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) (ignored: LC_ALL
set to de_DE.utf8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Version: 2.12.23-17+rm
Dear submitter,
as the package gnutls26 has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/767610
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
[email protected].
Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
