Package: gnutls26 Severity: wishlist Hi!
It hased caused me much confusion that gnutls does not handle client certificates well, if they contain ca certificates together with the client cert and key (at least that seems to be the case if the ca certificate are listed *before* the client cert). (You can see much of the resulting confusion as well as the discovery of the real cause in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530510 ) In particular, ,---- gnutls-cli --print-cert --verbose -p 4711 --x509certfile \ /home/user/secret/organisation-user.pem -p 443 \ intern.organisation.org \ --x509keyfile /home/user/secret/organisation-user.pem `---- Fails with a key usage violation error if organisation-user.pem contains the ca certificates before the client cert. Unfortunately, some CAs generate client certs like this (i.e. first key, then the certs in order of the chain, i.e. first the root-ca and client-ca certs, then the client cert) and firefox and openssl export them in the same order. Also openssl handles that case gracefully. The pkcs12 manpage (from openssl) even states: ,----[ manual page pkcs12(1) ] If none of the -clcerts, -cacerts or -nocerts options are present then all certificates will be output in the order they appear in the input PKCS#12 files. There is no guarantee that the first certificate present is the one corresponding to the private key. Certain software which requires a private key and certificate and assumes the first certificate in the file is the one corresponding to the private key: this may not always be the case. Using the -clcerts option will solve this problem by only outputting the certificate corresponding to the private key. If the CA certificates are required then they can be output to a separate file using the -nokeys -cacerts options to just output CA certificates. `---- Which was quite helpful once I discovered why it didn't work. Unfortunately I could not find any reference to this behaviour in the gnutls documentation. Also the error message "key usage violation error" doesn't help a lot. (http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=530510 documents we looked at the key usage bits in the client and server certs first, which were all correct.) In order of preference, I'd like one or all of the following resolutions: - If the certificate doesn't fit the key, try another one in the same file. - "key usage violation error" could output some information about which certificate it actually tried to use. (Which would give a hint that it tried to use a CA cert.) - Document in a prominent place that gnutls does not support client certificate files with CA certificates in them. (Sorry if I simply overlooked it.) Should 530510 be closed or merged with this wishlist bug? Kind regards Friedel -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.30-2-amd64 (SMP w/1 CPU core) Locale: LANG=de_DE.utf8, LC_CTYPE=de_DE.utf8 (charmap=UTF-8) (ignored: LC_ALL set to de_DE.utf8) Shell: /bin/sh linked to /bin/bash -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
