[Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT

help-gnutls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE'

From:	Simon Josefsson
Subject:	[Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE'
Date:	Fri, 11 May 2007 17:08:30 +0200
User-agent:	Gnus/5.110007 (No Gnus v0.7) Emacs/22.0.95 (gnu/linux)

address@hidden (Ludovic Courtès) writes:

> Hi,
>
> When X.509 authentication is used along with `GNUTLS_CERT_REQUIRE' on
> the server-side, the client apparently does not send its certificate as
> it should.  Enabling debugging shows the following:
>
>   [7999|3] HSK[80aaee0]: CERTIFICATE was send [678 bytes]
>   [8037|3] HSK[80aaee0]: CERTIFICATE was received [678 bytes]
>   [7999|3] HSK[80aaee0]: CERTIFICATE REQUEST was send [9 bytes]
>   [8037|3] HSK[80aaee0]: CERTIFICATE REQUEST was received [9 bytes]
>   [8037|2] ASSERT: auth_cert.c:207
>   [7999|3] HSK[80aaee0]: SERVER HELLO DONE was send [4 bytes]
>   [8037|3] HSK[80aaee0]: SERVER HELLO DONE was received [4 bytes]
>   [8037|3] HSK[80aaee0]: CERTIFICATE was send [7 bytes]
>   [8037|3] HSK[80aaee0]: CLIENT KEY EXCHANGE was send [134 bytes]
>   [8037|3] REC[80aaee0]: Sent ChangeCipherSpec
>   [8037|3] HSK[80aaee0]: Cipher Suite: RSA_NULL_MD5
>   [8037|3] HSK[80aaee0]: Initializing internal [write] cipher sessions
>   [8037|3] HSK[80aaee0]: FINISHED was send [16 bytes]
>   [7999|3] HSK[80aaee0]: CERTIFICATE was received [7 bytes]
>   [7999|2] ASSERT: auth_cert.c:874
>   [7999|2] ASSERT: gnutls_handshake.c:2475
>
> Here, 7999 is the server and 8037 is the client.
>
> Apparently, in `_gnutls_send_client_certificate ()', the client ends up
> calling `_gnutls_send_handshake ()' with DATA == NULL and DATA_SIZE == 0,
> hence the 7-byte "certificate" message.
>
> Any idea what's going wrong?

Is OpenPGP preferred over X.509?  If OpenPGP is preferred over X.509,
and that has been negotiated, then X.509 certificates will not be sent.
This is somewhat of a flaw in the TLS-OpenPGP draft IMHO, it should be
possible to support both X.509 and OpenPGP at the same time.

I know that the GnuTLS recently default is to prefer OpenPGP over X.509.
It is probably wrong, and I have reverted it in CVS HEAD.

There may be other causes too, but this one is what I'm run into a few
times.  Does this help?

Btw, is the 7-byte message wrong?  Maybe it shouldn't be sent at all in
this situation.

/Simon

[Prev in Thread]

Current Thread

[Next in Thread]

[Help-gnutls] X.509 authentication and `GNUTLS_CERT_REQUIRE', Ludovic Courtès, 2007/05/11
- [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Simon Josefsson <=
  - [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Ludovic Courtès, 2007/05/11
    - [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Simon Josefsson, 2007/05/12
    - [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Ludovic Courtès, 2007/05/12
    - [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Simon Josefsson, 2007/05/13
    - [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Ludovic Courtès, 2007/05/14
    - [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Simon Josefsson, 2007/05/14
    - [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE', Ludovic Courtès, 2007/05/14

Prev by Date: [Help-gnutls] X.509 authentication and `GNUTLS_CERT_REQUIRE'
Next by Date: [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE'
Previous by thread: [Help-gnutls] X.509 authentication and `GNUTLS_CERT_REQUIRE'
Next by thread: [Help-gnutls] Re: X.509 authentication and `GNUTLS_CERT_REQUIRE'
Index(es):
- Date
- Thread