Bug#579631: gnutls-bin: gnutls fails to base64 decode cert if header has additional space at EOL
Philipp Kolmann
Version: 2.8.6-1
Severity: normal
Tags: lenny sid
Hi,
I got a new cert for my servers and updated also the certs for exim for TLS.
With dovecot and Apache I never had any issues but exim failed to start tls:
2010-04-29 09:43:26 TLS error on connection from xxx.tuwien.ac.at (XXXX)
[128.130.xx.xx] (cert/key setup: cert=/etc/exim4/exim.crt key=/etc/exim4/exim.k
ey): Base64 decoding error.
in the end I found out, that the header of the cert has an additional space
after the -----BEGIN CERTIFICATE----- and before the newline.
gnutls fail then to decode the cert. openssl has no issues with the additinal
blank. Would it be possible to ignore this whitespace in gnutls as well?
thanks
Philipp Kolmann
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-3-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages gnutls-bin depends on:
ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib
ii libgcrypt11 1.4.5-2 LGPL Crypto library - runtime libr
ii libgnutls26 2.8.6-1 the GNU TLS library - runtime libr
ii libreadline6 6.1-2 GNU readline and history libraries
ii libtasn1-3 2.5-1 Manage ASN.1 structures (runtime)
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
gnutls-bin recommends no packages.
gnutls-bin suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org
Simon Josefsson
thanks
Philipp Kolmann <phi...@kolmann.at> writes:
> Hi,
>
> I got a new cert for my servers and updated also the certs for exim for TLS.
> With dovecot and Apache I never had any issues but exim failed to start tls:
>
> 2010-04-29 09:43:26 TLS error on connection from xxx.tuwien.ac.at (XXXX)
> [128.130.xx.xx] (cert/key setup: cert=/etc/exim4/exim.crt key=/etc/exim4/exim.k
> ey): Base64 decoding error.
>
> in the end I found out, that the header of the cert has an additional space
> after the -----BEGIN CERTIFICATE----- and before the newline.
>
> gnutls fail then to decode the cert. openssl has no issues with the additinal
> blank. Would it be possible to ignore this whitespace in gnutls as well?
Hi! Thanks for identifying this, it could explain some similar reports
we've seen. However I cannot reproduce this outside of exim, can you?
I tried running 'certtool < foo' on a file 'foo' containing:
-----BEGIN CERTIFICATE-----
MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251
VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw
GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz
Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B
dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2
DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1
tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT
MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B
Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME
GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7
bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1
AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg
rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=
-----END CERTIFICATE-----
but it worked fine.
/Simon
Simon Josefsson
> if you put the blank in the first line it still crashes.
>
> attached the cert file, which crashes here with me:
>
> pkolmann@wspk:~$ certtool -i < test.crt
> |<1>| Could not find '-----
> '
> certtool: import error: Base64 unexpected header error.
Thanks, I'm able to reproduce it now. That shouldn't be too difficult
to fix..