Re: [Modules] mod_gnutls: Failed to load Client CA File ... The given memory buffer is too short to hold parameters.
Jack Bates wrote: > Sander Marechal reports that he cannot use the CA certificates > distributed in the Debian ca-certificates package with mod_gnutls: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511573 > > I confirmed that this behaviour is the same in mod_gnutls trunk revision > 403: Hello, I believe the attached patch fixes the issue. It will be included in the next release. regards, Nikos Index: include/mod_gnutls.h.in === --- include/mod_gnutls.h.in (revision 402) +++ include/mod_gnutls.h.in (working copy) @@ -79,10 +79,6 @@ } mgs_dirconf_rec; -/* The maximum number of client CA certificates allowed. - */ -#define MAX_CA_CRTS 128 - /* The maximum number of certificates to send in a chain */ #define MAX_CHAIN_SIZE 8 @@ -111,7 +107,7 @@ const char* cache_config; const char* srp_tpasswd_file; const char* srp_tpasswd_conf_file; -gnutls_x509_crt_t ca_list[MAX_CA_CRTS]; +gnutls_x509_crt_t *ca_list; gnutls_openpgp_keyring_t pgp_list; unsigned int ca_list_size; int client_verify_mode; Index: src/gnutls_config.c === --- src/gnutls_config.c (revision 402) +++ src/gnutls_config.c (working copy) @@ -398,6 +398,7 @@ return NULL; } +#define INIT_CA_SIZE 128 const char *mgs_set_client_ca_file(cmd_parms * parms, void *dummy, const char *arg) { @@ -419,16 +420,37 @@ "Client CA File '%s'", file); } -sc->ca_list_size = MAX_CA_CRTS; +sc->ca_list_size = INIT_CA_SIZE; +sc->ca_list = malloc(sc->ca_list_size * sizeof(*sc->ca_list)); +if (sc->ca_list == NULL) { + return apr_psprintf(parms->pool, "mod_gnutls: Memory allocation error"); +} + rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size, - &data, GNUTLS_X509_FMT_PEM, - GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); -if (rv < 0) { - return apr_psprintf(parms->pool, "GnuTLS: Failed to load " + &data, GNUTLS_X509_FMT_PEM, GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED); +if (rv < 0 && rv != GNUTLS_E_SHORT_MEMORY_BUFFER) { + return apr_psprintf(parms->pool, "GnuTLS: Failed to load " "Client CA File '%s': (%d) %s", file, rv, gnutls_strerror(rv)); } + +if (INIT_CA_SIZE < sc->ca_list_size) { + sc->ca_list = realloc(sc->ca_list, sc->ca_list_size*sizeof(*sc->ca_list)); + if (sc->ca_list == NULL) { +return apr_psprintf(parms->pool, "mod_gnutls: Memory allocation error"); + } + /* re-read */ + rv = gnutls_x509_crt_list_import(sc->ca_list, &sc->ca_list_size, + &data, GNUTLS_X509_FMT_PEM, 0); + + if (rv < 0) { + return apr_psprintf(parms->pool, "GnuTLS: Failed to load " + "Client CA File '%s': (%d) %s", file, rv, + gnutls_strerror(rv)); + } +} + apr_pool_destroy(spool); return NULL; } Index: NEWS === --- NEWS (revision 402) +++ NEWS (working copy) @@ -1,5 +1,10 @@ -** Verison 0.5.4 (2009-01-04) +** Version 0.5.5 (unreleased) +- Removed limits on CA certificate loading. Reported by + Sander Marechal and Jack Bates. + +** Version 0.5.4 (2009-01-04) + - mod_gnutls.h: modified definition to extern to avoid compilation errors in darwin. ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls: Failed to load Client CA File ... The given memory buffer is too short to hold parameters.
Sander Marechal writes: > Hi, > > I'm the submitter of the bug at Debian. > > Nikos Mavrogiannopoulos wrote: >> Thanks for the report. I'll try to fix it as soon. However note that if >> you want to set all the list of ca-certificates.crt as the trusted list >> then probably you are doing something wrong. > > In my case I am building a website where people authenticate using a > client certificate. I extract the e-mail address from the client > certificate DN and match that against the database of known users. If > it's an unknown user then they can create an account. > > I don't want to babysit SSL certificates and sign them all myself. As > long as someone presents me with a certificate signed by someone I trust > (that would be all the CA's in ca-certificates) I want them to be able > to access the website. This is not some small, closed intranet or > something, but a website that anyone should be able to access. > > The only way I see to reduce the list of CA's that I need to load is to > figure out which of them don't give out client certificates. There's got > to be quite a few in that list that only give out server certificates. You can increase MAX_CA_CRTS in includes/mod_gnutls.h.in manually, it is currently hard-coded to 128. Of course, the proper fix will be to make the allocation dynamic. /Simon ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls: Failed to load Client CA File ... The given memory buffer is too short to hold parameters.
Hi, I'm the submitter of the bug at Debian. Nikos Mavrogiannopoulos wrote: > Thanks for the report. I'll try to fix it as soon. However note that if > you want to set all the list of ca-certificates.crt as the trusted list > then probably you are doing something wrong. In my case I am building a website where people authenticate using a client certificate. I extract the e-mail address from the client certificate DN and match that against the database of known users. If it's an unknown user then they can create an account. I don't want to babysit SSL certificates and sign them all myself. As long as someone presents me with a certificate signed by someone I trust (that would be all the CA's in ca-certificates) I want them to be able to access the website. This is not some small, closed intranet or something, but a website that anyone should be able to access. The only way I see to reduce the list of CA's that I need to load is to figure out which of them don't give out client certificates. There's got to be quite a few in that list that only give out server certificates. -- Sander Marechal ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules
Re: [Modules] mod_gnutls: Failed to load Client CA File ... The given memory buffer is too short to hold parameters.
Jack Bates wrote: > Sander Marechal reports that he cannot use the CA certificates > distributed in the Debian ca-certificates package with mod_gnutls: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511573 > > I confirmed that this behaviour is the same in mod_gnutls trunk revision > 403: Thanks for the report. I'll try to fix it as soon. However note that if you want to set all the list of ca-certificates.crt as the trusted list then probably you are doing something wrong. mod_gnutls uses this list to authenticate clients that should have access to this website, thus a list of 1-2 ca certificates should be the typical use. regards, Nikos ___ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules