Problems with specific certificate/key (Debian Bug #426013)
simon at josefsson.org
Fri Jan 4 12:27:50 CET 2008
Marc Haber <mh+gnutls-devel at zugschlus.de> writes:
> Simon Josefsson has suggested to me (a member of the maintainer team
> for Exim's packages for the Debian Operating System) that it might be
> a good idea to move a technical debate from our blogs
> to gnutls-devel as this list is a better medium for archived discussion.
> I'll send a dedicated mail for each of Debian's bug reports, so that
> the threads are not going to intermix.
> Debian Bug #426013, http://bugs.debian.org/426013
> Simon writes:
>> Appears to be an unreprodicible problem with a specific
>> certificate/key which the user cannot reveal. Another certificate/key
>> from the same CA works fine. Theory: could it be CRLF problems? Other
>> non-ASCII characters in the file? Nothing indicates a real GnuTLS
>> problem here.
>> Conclusion: Likely not a GnuTLS problem.
> I think that this conclusion was built too fast, but we do not have
> sufficient information to know this.
> The original reporter has said in the mean time that there are no
> non-ascii chars in the file and that there are no CRLF issues here.
> Currently, it is suspected that GnuTLS has issues with the fact that
> the certificate is a wildcard certificate.
The error message 'base64 decoding' error suggests decoding fails early
-- before gnutls has a chance of knowing whether it is a wildcard
certificate or not. So I believe that conclusion is most likely wrong.
The code in question in exim4 is:
if (cert_expanded != NULL)
DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
rc = gnutls_certificate_set_x509_key_file(x509_cred, CS cert_expanded,
CS key_expanded, GNUTLS_X509_FMT_PEM);
if (rc < 0)
uschar *msg = string_sprintf("cert/key setup: cert=%s key=%s",
return tls_error(msg, host, rc);
Note how the error message in the report subtly differ from what's in
the source code (s/setup/set up/), which seems strange but may be due to
I have asked the original submitter a few questions in the bug report.
More information about the Gnutls-devel