Bug#511573: [Modules] mod_gnutls: Failed to load Client CA File ... The given memory buffer is too short to hold parameters.
Jack Bates wrote:
Sander Marechal reports that he cannot use the CA certificates
distributed in the Debian ca-certificates package with mod_gnutls:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511573
I confirmed that this behaviour is the same in mod_gnutls trunk revision
403:
Hello,
I believe the attached patch fixes the issue. It will be included in
the next release.
regards,
Nikos
Index: include/mod_gnutls.h.in
===
--- include/mod_gnutls.h.in (revision 402)
+++ include/mod_gnutls.h.in (working copy)
@@ -79,10 +79,6 @@
} mgs_dirconf_rec;
-/* The maximum number of client CA certificates allowed.
- */
-#define MAX_CA_CRTS 128
-
/* The maximum number of certificates to send in a chain
*/
#define MAX_CHAIN_SIZE 8
@@ -111,7 +107,7 @@
const char* cache_config;
const char* srp_tpasswd_file;
const char* srp_tpasswd_conf_file;
-gnutls_x509_crt_t ca_list[MAX_CA_CRTS];
+gnutls_x509_crt_t *ca_list;
gnutls_openpgp_keyring_t pgp_list;
unsigned int ca_list_size;
int client_verify_mode;
Index: src/gnutls_config.c
===
--- src/gnutls_config.c (revision 402)
+++ src/gnutls_config.c (working copy)
@@ -398,6 +398,7 @@
return NULL;
}
+#define INIT_CA_SIZE 128
const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy,
const char *arg)
{
@@ -419,16 +420,37 @@
Client CA File '%s', file);
}
-sc-ca_list_size = MAX_CA_CRTS;
+sc-ca_list_size = INIT_CA_SIZE;
+sc-ca_list = malloc(sc-ca_list_size * sizeof(*sc-ca_list));
+if (sc-ca_list == NULL) {
+ return apr_psprintf(parms-pool, mod_gnutls: Memory allocation error);
+}
+
rv = gnutls_x509_crt_list_import(sc-ca_list, sc-ca_list_size,
- data, GNUTLS_X509_FMT_PEM,
- GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
-if (rv 0) {
- return apr_psprintf(parms-pool, GnuTLS: Failed to load
+ data, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
+if (rv 0 rv != GNUTLS_E_SHORT_MEMORY_BUFFER) {
+ return apr_psprintf(parms-pool, GnuTLS: Failed to load
Client CA File '%s': (%d) %s, file, rv,
gnutls_strerror(rv));
}
+
+if (INIT_CA_SIZE sc-ca_list_size) {
+ sc-ca_list = realloc(sc-ca_list, sc-ca_list_size*sizeof(*sc-ca_list));
+ if (sc-ca_list == NULL) {
+return apr_psprintf(parms-pool, mod_gnutls: Memory allocation error);
+ }
+ /* re-read */
+ rv = gnutls_x509_crt_list_import(sc-ca_list, sc-ca_list_size,
+ data, GNUTLS_X509_FMT_PEM, 0);
+
+ if (rv 0) {
+ return apr_psprintf(parms-pool, GnuTLS: Failed to load
+ Client CA File '%s': (%d) %s, file, rv,
+ gnutls_strerror(rv));
+ }
+}
+
apr_pool_destroy(spool);
return NULL;
}
Index: NEWS
===
--- NEWS (revision 402)
+++ NEWS (working copy)
@@ -1,5 +1,10 @@
-** Verison 0.5.4 (2009-01-04)
+** Version 0.5.5 (unreleased)
+- Removed limits on CA certificate loading. Reported by
+ Sander Marechal and Jack Bates.
+
+** Version 0.5.4 (2009-01-04)
+
- mod_gnutls.h: modified definition to extern to avoid compilation
errors in darwin.
Bug#511573: [Modules] mod_gnutls: Failed to load Client CA File ... The given memory buffer is too short to hold parameters.
Hi, I'm the submitter of the bug at Debian. Nikos Mavrogiannopoulos wrote: Thanks for the report. I'll try to fix it as soon. However note that if you want to set all the list of ca-certificates.crt as the trusted list then probably you are doing something wrong. In my case I am building a website where people authenticate using a client certificate. I extract the e-mail address from the client certificate DN and match that against the database of known users. If it's an unknown user then they can create an account. I don't want to babysit SSL certificates and sign them all myself. As long as someone presents me with a certificate signed by someone I trust (that would be all the CA's in ca-certificates) I want them to be able to access the website. This is not some small, closed intranet or something, but a website that anyone should be able to access. The only way I see to reduce the list of CA's that I need to load is to figure out which of them don't give out client certificates. There's got to be quite a few in that list that only give out server certificates. -- Sander Marechal -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#511573: [Modules] mod_gnutls: Failed to load Client CA File ... The given memory buffer is too short to hold parameters.
Sander Marechal s.marec...@jejik.com writes: Hi, I'm the submitter of the bug at Debian. Nikos Mavrogiannopoulos wrote: Thanks for the report. I'll try to fix it as soon. However note that if you want to set all the list of ca-certificates.crt as the trusted list then probably you are doing something wrong. In my case I am building a website where people authenticate using a client certificate. I extract the e-mail address from the client certificate DN and match that against the database of known users. If it's an unknown user then they can create an account. I don't want to babysit SSL certificates and sign them all myself. As long as someone presents me with a certificate signed by someone I trust (that would be all the CA's in ca-certificates) I want them to be able to access the website. This is not some small, closed intranet or something, but a website that anyone should be able to access. The only way I see to reduce the list of CA's that I need to load is to figure out which of them don't give out client certificates. There's got to be quite a few in that list that only give out server certificates. You can increase MAX_CA_CRTS in includes/mod_gnutls.h.in manually, it is currently hard-coded to 128. Of course, the proper fix will be to make the allocation dynamic. /Simon -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#511573: [Modules] mod_gnutls: Failed to load Client CA File ... The given memory buffer is too short to hold parameters.
Jack Bates wrote: Sander Marechal reports that he cannot use the CA certificates distributed in the Debian ca-certificates package with mod_gnutls: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511573 I confirmed that this behaviour is the same in mod_gnutls trunk revision 403: Thanks for the report. I'll try to fix it as soon. However note that if you want to set all the list of ca-certificates.crt as the trusted list then probably you are doing something wrong. mod_gnutls uses this list to authenticate clients that should have access to this website, thus a list of 1-2 ca certificates should be the typical use. regards, Nikos -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
