** Description changed: [Impact]: Applications that are linked to gnutls26 and use client certificate authentication do not work, i personally know of apt-transport-https, gnutls-cli and subversion (#1020591) But any application linked to this library will possible have the same issue Apt repositories that use client certificate authentication do not work you get the error. + "GnuTLS error: GnuTLS internal error." + This issue was reported upstream and fixed in a version newer than the one shipped in precise. https://gitorious.org/gnutls/gnutls/commit/555766063e08fc675b88e06560f79456c4ba4f24 - I have back ported that fix to the precise version - - "GnuTLS error: GnuTLS internal error." + I have cherry picked that fix into to the precise version [Test case]: Create a CA and certificates for use: - openssl genrsa -aes256 -seed -out ca.key 4096 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt openssl genrsa -aes256 -out client.key 4096 openssl req -new -key client.key -out client.csr openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt openssl genrsa -aes256 -out server.key 4096 openssl req -new -key server.key -out server.csr openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt Set up a web server Nginx or Apache for SSL client certificate authentication #Nginx server { - listen 443; - root /var/www; - index index.html index.htm; - ssl on; - ssl_certificate /etc/ssl/certs/server.crt; - ssl_certificate_key /etc/ssl/certs/server.key; + listen 443; + root /var/www; + index index.html index.htm; + ssl on; + ssl_certificate /etc/ssl/certs/server.crt; + ssl_certificate_key /etc/ssl/certs/server.key; - ssl_session_timeout 5m; + ssl_session_timeout 5m; - ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; - ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; - ssl_prefer_server_ciphers on; - ssl_client_certificate /etc/ssl/certs/ca.crt; - ssl_verify_client on; - location / { - try_files $uri $uri/ =404; - } + ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP; + ssl_prefer_server_ciphers on; + ssl_client_certificate /etc/ssl/certs/ca.crt; + ssl_verify_client on; + location / { + try_files $uri $uri/ =404; + } } #apache <IfModule mod_ssl.c> <VirtualHost _default_:443> - ServerAdmin webmaster@localhost - DocumentRoot /var/www - <Directory /> - Options FollowSymLinks - AllowOverride None - </Directory> - <Directory /var/www> - Options Indexes FollowSymLinks MultiViews - AllowOverride None - Order allow,deny - allow from all - </Directory> - ErrorLog ${APACHE_LOG_DIR}/error.log - LogLevel warn - CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined - SSLEngine on - SSLCertificateFile /etc/ssl/certs/server.crt - SSLCertificateKeyFile /etc/ssl/certs/server.key - SSLCACertificateFile /etc/ssl/certs/ca.crt - SSLVerifyClient require - SSLVerifyDepth 10 + ServerAdmin webmaster@localhost + DocumentRoot /var/www + <Directory /> + Options FollowSymLinks + AllowOverride None + </Directory> + <Directory /var/www> + Options Indexes FollowSymLinks MultiViews + AllowOverride None + Order allow,deny + allow from all + </Directory> + ErrorLog ${APACHE_LOG_DIR}/error.log + LogLevel warn + CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined + SSLEngine on + SSLCertificateFile /etc/ssl/certs/server.crt + SSLCertificateKeyFile /etc/ssl/certs/server.key + SSLCACertificateFile /etc/ssl/certs/ca.crt + SSLVerifyClient require + SSLVerifyDepth 10 </VirtualHost> </IfModule> Test Case1 ========= Then test using gnutls-cli linked to the gnutls26 package gnutls-cli --x509cafile ca.crt --x509keyfile client.key --x509certfile client.crt server_ip_addresss -V Processed 1 CA certificate(s). Processed 1 CRL(s). Processed 1 client certificates... Processed 1 client X.509 certificates... Resolving 'ubuntu.home.topdog-software.com'... Connecting to '192.168.1.12:443'... - Server's trusted authorities: - [0]: C=ZA,ST=Gauteng,L=Johannesburg,O=XXXX,OU=CA,CN=XXXX,EMAIL=info@XXXX + [0]: C=ZA,ST=Gauteng,L=Johannesburg,O=XXXX,OU=CA,CN=XXXX,EMAIL=info@XXXX *** Fatal error: GnuTLS internal error. *** Handshake has failed GnuTLS error: GnuTLS internal error. Test Case2 ========= Test apt-transport-https /etc/apt/apt.conf.d/00httpstest Acquire::https::testserver_address::CaInfo "/etc/apt/certs/ca.crt"; Acquire::https::testserver_address::SslCert "/etc/apt/certs/client.crt"; Acquire::https::testserver_address::SslKey "/etc/apt/certs/client.key"; Debug::Acquire::https "true"; /etc/apt/sources.list.d/test.list deb https://testserver_address precise/ Then run apt-get update gnutls_handshake() failed: GnuTLS internal error. [Regression Potential] The patch does not cause any regressions that i can see.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1095052 Title: Client certificate authentication fails To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnutls26/+bug/1095052/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
