[Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE'

Simon Josefsson simon at josefsson.org
Fri May 11 17:08:30 CEST 2007


ludo at chbouib.org (Ludovic Courtès) writes:

> Hi,
>
> When X.509 authentication is used along with `GNUTLS_CERT_REQUIRE' on
> the server-side, the client apparently does not send its certificate as
> it should.  Enabling debugging shows the following:
>
>   [7999|3] HSK[80aaee0]: CERTIFICATE was send [678 bytes]
>   [8037|3] HSK[80aaee0]: CERTIFICATE was received [678 bytes]
>   [7999|3] HSK[80aaee0]: CERTIFICATE REQUEST was send [9 bytes]
>   [8037|3] HSK[80aaee0]: CERTIFICATE REQUEST was received [9 bytes]
>   [8037|2] ASSERT: auth_cert.c:207
>   [7999|3] HSK[80aaee0]: SERVER HELLO DONE was send [4 bytes]
>   [8037|3] HSK[80aaee0]: SERVER HELLO DONE was received [4 bytes]
>   [8037|3] HSK[80aaee0]: CERTIFICATE was send [7 bytes]
>   [8037|3] HSK[80aaee0]: CLIENT KEY EXCHANGE was send [134 bytes]
>   [8037|3] REC[80aaee0]: Sent ChangeCipherSpec
>   [8037|3] HSK[80aaee0]: Cipher Suite: RSA_NULL_MD5
>   [8037|3] HSK[80aaee0]: Initializing internal [write] cipher sessions
>   [8037|3] HSK[80aaee0]: FINISHED was send [16 bytes]
>   [7999|3] HSK[80aaee0]: CERTIFICATE was received [7 bytes]
>   [7999|2] ASSERT: auth_cert.c:874
>   [7999|2] ASSERT: gnutls_handshake.c:2475
>
> Here, 7999 is the server and 8037 is the client.
>
> Apparently, in `_gnutls_send_client_certificate ()', the client ends up
> calling `_gnutls_send_handshake ()' with DATA == NULL and DATA_SIZE == 0,
> hence the 7-byte "certificate" message.
>
> Any idea what's going wrong?

Is OpenPGP preferred over X.509?  If OpenPGP is preferred over X.509,
and that has been negotiated, then X.509 certificates will not be sent.
This is somewhat of a flaw in the TLS-OpenPGP draft IMHO, it should be
possible to support both X.509 and OpenPGP at the same time.

I know that the GnuTLS recently default is to prefer OpenPGP over X.509.
It is probably wrong, and I have reverted it in CVS HEAD.

There may be other causes too, but this one is what I'm run into a few
times.  Does this help?

Btw, is the 7-byte message wrong?  Maybe it shouldn't be sent at all in
this situation.

/Simon





More information about the Gnutls-help mailing list