Ubuntu
gnutls26 package

Client certificate authentication fails

Bug #1095052 reported by Andrew Colin Kissa
58
This bug affects 11 people
Affects Status Importance Assigned to Milestone
gnutls26 (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Timo Aaltonen
Quantal
Fix Released
Medium
Unassigned

Bug Description

[Impact]:

Applications that are linked to gnutls26 and use client certificate authentication do not work, i personally know of apt-transport-https, gnutls-cli and subversion (#1020591) But any application linked to this library will possible have the same issue

Apt repositories that use client certificate authentication do not work you get the error.

"GnuTLS error: GnuTLS internal error."

This issue was reported upstream and fixed in a version newer than the one shipped in precise. https://gitorious.org/gnutls/gnutls/commit/555766063e08fc675b88e06560f79456c4ba4f24 I have cherry picked that fix into to the precise version

[Test case]:

Create a CA and certificates for use:

openssl genrsa -aes256 -seed -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl genrsa -aes256 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
openssl genrsa -aes256 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out server.crt

Set up a web server Nginx or Apache for SSL client certificate authentication

#Nginx
server {
        listen 443;
        root /var/www;
        index index.html index.htm;
        ssl on;
        ssl_certificate /etc/ssl/certs/server.crt;
        ssl_certificate_key /etc/ssl/certs/server.key;

        ssl_session_timeout 5m;

        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
        ssl_prefer_server_ciphers on;
        ssl_client_certificate /etc/ssl/certs/ca.crt;
        ssl_verify_client on;
        location / {
                try_files $uri $uri/ =404;
        }
}

#apache
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
 ServerAdmin webmaster@localhost
 DocumentRoot /var/www
 <Directory />
  Options FollowSymLinks
  AllowOverride None
 </Directory>
 <Directory /var/www>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride None
  Order allow,deny
  allow from all
 </Directory>
 ErrorLog ${APACHE_LOG_DIR}/error.log
 LogLevel warn
 CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
 SSLEngine on
 SSLCertificateFile /etc/ssl/certs/server.crt
 SSLCertificateKeyFile /etc/ssl/certs/server.key
 SSLCACertificateFile /etc/ssl/certs/ca.crt
 SSLVerifyClient require
 SSLVerifyDepth 10
</VirtualHost>
</IfModule>

Test Case1
=========

Then test using gnutls-cli linked to the gnutls26 package

gnutls-cli --x509cafile ca.crt --x509keyfile client.key --x509certfile client.crt server_ip_addresss -V

Processed 1 CA certificate(s).
Processed 1 CRL(s).
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving 'ubuntu.home.topdog-software.com'...
Connecting to '192.168.1.12:443'...
- Server's trusted authorities:
   [0]: C=ZA,ST=Gauteng,L=Johannesburg,O=XXXX,OU=CA,CN=XXXX,EMAIL=info@XXXX
*** Fatal error: GnuTLS internal error.
*** Handshake has failed
GnuTLS error: GnuTLS internal error.

Test Case2
=========

Test apt-transport-https

/etc/apt/apt.conf.d/00httpstest

Acquire::https::testserver_address::CaInfo "/etc/apt/certs/ca.crt";
Acquire::https::testserver_address::SslCert "/etc/apt/certs/client.crt";
Acquire::https::testserver_address::SslKey "/etc/apt/certs/client.key";
Debug::Acquire::https "true";

/etc/apt/sources.list.d/test.list

deb https://testserver_address precise/

Then run apt-get update

gnutls_handshake() failed: GnuTLS internal error.

[Regression Potential]

The patch does not cause any regressions that i can see.

See original description
Revision history for this message
Andrew Colin Kissa (topdog) wrote :
Andrew Colin Kissa (topdog)
description: updated
Revision history for this message
Brian Murray (brian-murray) wrote :

This also needs fixing in Quantal.

Changed in gnutls26 (Ubuntu):
status: New → Fix Released
importance: Undecided → Medium
Changed in gnutls26 (Ubuntu Precise):
status: New → Triaged
Changed in gnutls26 (Ubuntu Quantal):
status: New → Triaged
Changed in gnutls26 (Ubuntu Precise):
importance: Undecided → Medium
Changed in gnutls26 (Ubuntu Quantal):
importance: Undecided → Medium
tags: added: quantal
Revision history for this message
Thomas Ward (teward) wrote :

The debdiff attached by the poster is not complete - it is missing DEP3 tags, and may be missing build tests.

I've discussed with them, and I'll work on both debdiffs, include DEP3, and then build-test prior to subscribing sponsors. Sponsors: you may want to unsubscribe yourself from this since there's an incomplete debdiff, and a missing quantal debdiff.

Changed in gnutls26 (Ubuntu Quantal):
assignee: nobody → Thomas Ward (teward)
Changed in gnutls26 (Ubuntu Precise):
assignee: nobody → Thomas Ward (teward)
Revision history for this message
Thomas Ward (teward) wrote :

Build tests with the patch (without DEP3 for expediency purposes) succeeded, and are in this PPA: https://launchpad.net/~teward/+archive/buildtests

I am currently preparing the debdiffs with DEP3, so that it is suitable for inclusion in Ubuntu as an SRU. Those will be uploaded shortly.

Changed in gnutls26 (Ubuntu Precise):
status: Triaged → In Progress
Changed in gnutls26 (Ubuntu Quantal):
status: Triaged → In Progress
Revision history for this message
Thomas Ward (teward) wrote :

Precise DebDiff

Revision history for this message
Thomas Ward (teward) wrote :

Quantal DebDiff

Changed in gnutls26 (Ubuntu Precise):
assignee: Thomas Ward (teward) → nobody
status: In Progress → Triaged
Changed in gnutls26 (Ubuntu Quantal):
assignee: Thomas Ward (teward) → nobody
status: In Progress → Triaged
Revision history for this message
Thomas Ward (teward) wrote :

Both DebDiffs have been uploaded. I've subscribed both ubuntu-sponsors, because I don't have upload rights, and ubuntu-sru to process the SRU.

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Thanks for the backports! I've uploaded a new version to precise & quantal, but they need to get past the SRU check first.

Changed in gnutls26 (Ubuntu Precise):
assignee: nobody → Timo Aaltonen (tjaalton)
status: Triaged → In Progress
Changed in gnutls26 (Ubuntu Quantal):
status: Triaged → In Progress
Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Andrew, or anyone else affected,

Accepted gnutls26 into quantal-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu4.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in gnutls26 (Ubuntu Quantal):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Andrew Colin Kissa (topdog) wrote :

Hi Brian,

Am running precise and no proposed package has been released for that, thus i am unable to test at the moment.

Revision history for this message
Peter McAlpine (peter-i) wrote :

I Downloaded the quantal-proposed package from here:
https://launchpad.net/ubuntu/quantal/amd64/libgnutls26/2.12.14-5ubuntu4.1

I installed this on precise, ran through both of Andrew's test cases and can confirm the issue is fixed.

As Andrew points out in #10, there's no proposed package for precise so I have not changed the tag to verification-done.

Revision history for this message
Colin Watson (cjwatson) wrote :

I'd prefer the precise upload to wait until after 12.04.2 at this point, since we're frozen and this is on the images we're trying to finalise, but I have no problem with it going in straight after that.

tags: added: verification-done-quantal
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls26 - 2.12.14-5ubuntu4.1

---------------
gnutls26 (2.12.14-5ubuntu4.1) quantal-proposed; urgency=low

  * debian/patches/lp1095052.patch:
    - Added new patch, derived from an upstream revision, which provides
      a fix for an issue where client certificate authentication will
      fail. (LP: #1095052)
 -- Thomas Ward <email address hidden> Mon, 07 Jan 2013 19:52:48 +0000

Changed in gnutls26 (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Dave Walker (davewalker) wrote :

Hello Andrew, or anyone else affected,

Accepted gnutls26 into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu3.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in gnutls26 (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Dave Walker (davewalker) wrote :

Please disregard the above comment, the update was infact trumped by a security update. This update needs to be rebased against this update and uploaded back to the precise queue.

Thanks.

tags: removed: verification-needed
Changed in gnutls26 (Ubuntu Precise):
status: Fix Committed → In Progress
Revision history for this message
John Ryan (johnryannz) wrote :

Hi, has there been any progress resubmitting the Precise patch?

Cheers,
John

Revision history for this message
James Dingwall (a-james-launchpad) wrote :

Hi,

We are currently facing an issue in Precise using certificate authenticated apt repositories. It seems that this problem with the gnutls library is the root cause of the issue that we are seeing. Although upgrading to a different Ubuntu release would be a solution for us it is significantly less preferable than having it solved through a package update in Precise. Has there been any further progress in rebasing the patch on top of the security update?

Thanks,
James

Revision history for this message
Timo Aaltonen (tjaalton) wrote :

sorry about the delay, a new version is now uploaded to precise-proposed

Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Andrew, or anyone else affected,

Accepted gnutls26 into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/gnutls26/2.12.14-5ubuntu3.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in gnutls26 (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
James Dingwall (a-james-launchpad) wrote :

I have tested this new version and it resolves the problem that we were experiencing with certificate authenticated apt repositories.

Thanks,
James

Brian Murray (brian-murray)
tags: added: verification-done-precise
removed: verification-needed
Revision history for this message
Simon Déziel (sdeziel) wrote :

I can confirm this issue is fixed in Precise using -proposed package. Thanks!

Revision history for this message
Scott Kitterman (kitterman) wrote : Update Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnutls26 - 2.12.14-5ubuntu3.3

---------------
gnutls26 (2.12.14-5ubuntu3.3) precise-proposed; urgency=low

  * debian/patches/lp1095052.patch:
    - Added new patch, derived from an upstream revision, which provides
      a fix for an issue where client certificate authentication will
      fail. (LP: #1095052)
 -- Timo Aaltonen <email address hidden> Mon, 22 Apr 2013 20:39:44 +0300

Changed in gnutls26 (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.