Problems with specific certificate/key (Debian Bug #426013)

Simon Josefsson simon at josefsson.org
Fri Jan 4 12:27:50 CET 2008


Marc Haber <mh+gnutls-devel at zugschlus.de> writes:

> Hi,
>
> Simon Josefsson has suggested to me (a member of the maintainer team
> for Exim's packages for the Debian Operating System) that it might be
> a good idea to move a technical debate from our blogs
> (http://blog.zugschlus.de/archives/585-exim4-vs.-OpenSSL-vs.-GnuTLS.html,
> http://blog.josefsson.org/2007/11/09/response-to-gnutls-in-exim-debate/)
> to gnutls-devel as this list is a better medium for archived discussion.
>
> I'll send a dedicated mail for each of Debian's bug reports, so that
> the threads are not going to intermix.
>
> Debian Bug #426013, http://bugs.debian.org/426013
> =================================================
> Simon writes:
>> Appears to be an unreprodicible problem with a specific
>> certificate/key which the user cannot reveal. Another certificate/key
>> from the same CA works fine. Theory: could it be CRLF problems? Other
>> non-ASCII characters in the file? Nothing indicates a real GnuTLS
>> problem here.
>> Conclusion: Likely not a GnuTLS problem.
>
> I think that this conclusion was built too fast, but we do not have
> sufficient information to know this.
>
> The original reporter has said in the mean time that there are no
> non-ascii chars in the file and that there are no CRLF issues here.
> Currently, it is suspected that GnuTLS has issues with the fact that
> the certificate is a wildcard certificate.

The error message 'base64 decoding' error suggests decoding fails early
-- before gnutls has a chance of knowing whether it is a wildcard
certificate or not.  So I believe that conclusion is most likely wrong.
The code in question in exim4 is:

if (cert_expanded != NULL)
  {
  DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
    cert_expanded, key_expanded);
  rc = gnutls_certificate_set_x509_key_file(x509_cred, CS cert_expanded,
    CS key_expanded, GNUTLS_X509_FMT_PEM);
  if (rc < 0)
    {
    uschar *msg = string_sprintf("cert/key setup: cert=%s key=%s",
      cert_expanded, key_expanded);
    return tls_error(msg, host, rc);
    }
  }

Note how the error message in the report subtly differ from what's in
the source code (s/setup/set up/), which seems strange but may be due to
cut'n'paste.

I have asked the original submitter a few questions in the bug report.

/Simon





More information about the Gnutls-devel mailing list