Debian Bug report logs - #481132
libgnutls26: should use EDH only if server cert supports it

version graph

Package: libgnutls26; Maintainer for libgnutls26 is Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>; Source for libgnutls26 is src:gnutls26.

Reported by: "brian m. carlson" <sandals@crustytoothpaste.net>

Date: Tue, 13 May 2008 23:12:01 UTC

Severity: normal

Tags: upstream, wontfix

Found in version gnutls26/2.2.3-1

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#481132; Package libgnutls26. Full text and rfc822 format available.

Acknowledgement sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
New Bug report received and forwarded. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libgnutls26: flags key usage error where OpenSSL does not
Date: Tue, 13 May 2008 23:09:01 +0000
[Message part 1 (text/plain, inline)]
Package: libgnutls26
Version: 2.2.3-1
Severity: important

I regenerated my SSL certificates today (due to the security advisory)
and mutt now refuses to connect to my SMTP server with STARTTLS.  This
is obviously unsuitable.

Using cyrus-clients-2.3's smtptest (which uses OpenSSL) does not object
to the certificate.  You can find the old certificate, which worked
fine, at
http://crustytoothpaste.ath.cx/cgi-bin/pyca/view-cert.py/ServerCerts/server?18
.  I generated them exactly the same way, and they appear to have
exactly the same extensions.  The MTA is sendmail, which uses OpenSSL.

Feel free to test against my machine if you want.

Transcript of session:

lakeview ok % gnutls-cli -p 587 -s crustytoothpaste.ath.cx
Resolving 'crustytoothpaste.ath.cx'...
Connecting to '172.16.0.1:587'...

- Simple Client Mode:

220 crustytoothpaste.ath.cx ESMTP spoken here
EHLO lakeview.crustytoothpaste.ath.cx
250-crustytoothpaste.ath.cx Hello [172.16.3.249], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 15000000
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
STARTTLS
220 2.0.0 Ready to start TLS
*** Starting TLS handshake
*** Fatal error: Key usage violation in certificate has been detected.
*** Handshake has failed


-- System Information:
Debian Release: lenny/sid
   APT prefers unstable
   APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.25-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libgnutls26 depends on:
ii  libc6                  2.7-11            GNU C Library: Shared libraries
ii  libgcrypt11            1.4.1-1           LGPL Crypto library - runtime libr
ii  libgpg-error0          1.4-2             library for common error values an
ii  libopencdk10           0.6.6-1           Open Crypto Development Kit (OpenC
ii  libtasn1-3             1.4-1             Manage ASN.1 structures (runtime)
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

libgnutls26 recommends no packages.

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#481132; Package libgnutls26. Full text and rfc822 format available.

Acknowledgement sent to Simon Josefsson <simon@josefsson.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #10 received at 481132@bugs.debian.org (full text, mbox):

From: Simon Josefsson <simon@josefsson.org>
To: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Cc: 481132@bugs.debian.org
Subject: Re: [Pkg-gnutls-maint] Bug#481132: libgnutls26: flags key usage error where OpenSSL does not
Date: Wed, 14 May 2008 17:42:45 +0200
"brian m. carlson" <sandals@crustytoothpaste.ath.cx> writes:

> Package: libgnutls26
> Version: 2.2.3-1
> Severity: important
>
> I regenerated my SSL certificates today (due to the security advisory)
> and mutt now refuses to connect to my SMTP server with STARTTLS.  This
> is obviously unsuitable.
>
> Using cyrus-clients-2.3's smtptest (which uses OpenSSL) does not object
> to the certificate.  You can find the old certificate, which worked
> fine, at
> http://crustytoothpaste.ath.cx/cgi-bin/pyca/view-cert.py/ServerCerts/server?18
> .  I generated them exactly the same way, and they appear to have
> exactly the same extensions.  The MTA is sendmail, which uses OpenSSL.
>
> Feel free to test against my machine if you want.
>
> Transcript of session:
>
> lakeview ok % gnutls-cli -p 587 -s crustytoothpaste.ath.cx

Hi!  Thanks for the report.  Unfortunately, I think your certificate is
incorrect, you'll need the digitalSignature Key Usage Bit as well.

RFC 2246 and 4346:

      DHE_RSA                 RSA public key that can be used for
                              signing.
...
   All certificate profiles and key and cryptographic formats are
   defined by the IETF PKIX working group [PKIX].  When a key usage
   extension is present, the digitalSignature bit MUST be set for the
   key to be eligible for signing, as described above, and the
   keyEncipherment bit MUST be present to allow encryption, as described
   above.  The keyAgreement bit must be set on Diffie-Hellman
   certificates.

See a similar recent report:

http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2788/focus=2789

/Simon




Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#481132; Package libgnutls26. Full text and rfc822 format available.

Acknowledgement sent to "brian m. carlson" <sandals@crustytoothpaste.ath.cx>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #15 received at 481132@bugs.debian.org (full text, mbox):

From: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
To: Simon Josefsson <simon@josefsson.org>
Cc: 481132@bugs.debian.org, control@bugs.debian.org
Subject: Re: [Pkg-gnutls-maint] Bug#481132: libgnutls26: flags key usage error where OpenSSL does not
Date: Wed, 14 May 2008 16:13:16 +0000
[Message part 1 (text/plain, inline)]
retitle 481132 libgnutls26: should use EDH only if server cert supports it
kthxbye

On Wed, May 14, 2008 at 05:42:45PM +0200, Simon Josefsson wrote:
>Hi!  Thanks for the report.  Unfortunately, I think your certificate is
>incorrect, you'll need the digitalSignature Key Usage Bit as well.
>
>RFC 2246 and 4346:
>
>      DHE_RSA                 RSA public key that can be used for
>                              signing.
>...
>   All certificate profiles and key and cryptographic formats are
>   defined by the IETF PKIX working group [PKIX].  When a key usage
>   extension is present, the digitalSignature bit MUST be set for the
>   key to be eligible for signing, as described above, and the
>   keyEncipherment bit MUST be present to allow encryption, as described
>   above.  The keyAgreement bit must be set on Diffie-Hellman
>   certificates.

I've figured out what the problem is.  If I don't disable kEDH in
sendmail's config, it fails, but if I do disable it, it works.
My IMAP server also has kEDH disabled, and so it also works.

Apparently OpenSSL doesn't try to use kEDH, and so it doesn't fail.
GnuTLS should implement the same behavior; if a certificate doesn't
support digitalSignature, then GnuTLS shouldn't try to use it in that
way.  RSA key exchange is fine for what I need.

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
[signature.asc (application/pgp-signature, inline)]

Changed Bug title to `libgnutls26: should use EDH only if server cert supports it' from `libgnutls26: flags key usage error where OpenSSL does not'. Request was from "brian m. carlson" <sandals@crustytoothpaste.ath.cx> to control@bugs.debian.org. (Wed, 14 May 2008 16:15:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#481132; Package libgnutls26. Full text and rfc822 format available.

Acknowledgement sent to Simon Josefsson <simon@josefsson.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #22 received at 481132@bugs.debian.org (full text, mbox):

From: Simon Josefsson <simon@josefsson.org>
To: "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Cc: 481132@bugs.debian.org, control@bugs.debian.org
Subject: Re: [Pkg-gnutls-maint] Bug#481132: libgnutls26: flags key usage error where OpenSSL does not
Date: Thu, 15 May 2008 10:48:59 +0200
forwarded 481132 http://trac.gnutls.org/cgi-bin/trac.cgi/ticket/39
severity 481132 wishlist
thanks

"brian m. carlson" <sandals@crustytoothpaste.ath.cx> writes:

> retitle 481132 libgnutls26: should use EDH only if server cert supports it
> kthxbye
>
> On Wed, May 14, 2008 at 05:42:45PM +0200, Simon Josefsson wrote:
>>Hi!  Thanks for the report.  Unfortunately, I think your certificate is
>>incorrect, you'll need the digitalSignature Key Usage Bit as well.
>>
>>RFC 2246 and 4346:
>>
>>      DHE_RSA                 RSA public key that can be used for
>>                              signing.
>>...
>>   All certificate profiles and key and cryptographic formats are
>>   defined by the IETF PKIX working group [PKIX].  When a key usage
>>   extension is present, the digitalSignature bit MUST be set for the
>>   key to be eligible for signing, as described above, and the
>>   keyEncipherment bit MUST be present to allow encryption, as described
>>   above.  The keyAgreement bit must be set on Diffie-Hellman
>>   certificates.
>
> I've figured out what the problem is.  If I don't disable kEDH in
> sendmail's config, it fails, but if I do disable it, it works.
> My IMAP server also has kEDH disabled, and so it also works.
>
> Apparently OpenSSL doesn't try to use kEDH, and so it doesn't fail.
> GnuTLS should implement the same behavior; if a certificate doesn't
> support digitalSignature, then GnuTLS shouldn't try to use it in that
> way.  RSA key exchange is fine for what I need.

I've created a gnutls bug to track this, and changed the severity to
wishlist since this is now a feature request.

There are some subtle issues here.  Some users may prefer an error
message rather than silently downgrading the ciphersuite.  However, I
think that if the user said that both EDH and non-EDH ciphers are OK,
that GnuTLS should automatically remove all EDH ciphers if the provided
server certificate does not include the digitalSignature bit.

Another subtlety is that if
gnutls_certificate_server_set_retrieve_function is used, gnutls doesn't
know the server certificate until later in the handshake, and then it
may be too late to disable the EDH ciphers.  In this case, the handshake
will fail with the same error, I don't think we can do anything about
it.  It is us to the application callback to select a suitable server
certificate in this case.

There are many things which needs to have a higher priority for me in
gnutls, so unfortunately I won't have time to create a patch for this.
Of course, if you or someone else creates patches I'll review them.

/Simon




Noted your statement that Bug has been forwarded to http://trac.gnutls.org/cgi-bin/trac.cgi/ticket/39. Request was from Simon Josefsson <simon@josefsson.org> to control@bugs.debian.org. (Thu, 15 May 2008 08:51:07 GMT) Full text and rfc822 format available.

Severity set to `wishlist' from `important' Request was from Simon Josefsson <simon@josefsson.org> to control@bugs.debian.org. (Thu, 15 May 2008 08:51:09 GMT) Full text and rfc822 format available.

Tags added: upstream Request was from Simon Josefsson <simon@josefsson.org> to control@bugs.debian.org. (Thu, 15 May 2008 09:30:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#481132; Package libgnutls26. Full text and rfc822 format available.

Acknowledgement sent to Nikos Mavrogiannopoulos <nmav@gnutls.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. Full text and rfc822 format available.

Message #33 received at 481132@bugs.debian.org (full text, mbox):

From: Nikos Mavrogiannopoulos <nmav@gnutls.org>
To: 481132@bugs.debian.org
Cc: sandals@crustytoothpaste.ath.cx, simon@josefsson.org
Subject: Re: [Pkg-gnutls-maint] Bug#481132: libgnutls26: flags key usage error where OpenSSL does not
Date: Sun, 18 May 2008 12:55:47 +0300
> I've figured out what the problem is.  If I don't disable kEDH in
> sendmail's config, it fails, but if I do disable it, it works.
> My IMAP server also has kEDH disabled, and so it also works.
> 
> Apparently OpenSSL doesn't try to use kEDH, and so it doesn't fail.
> GnuTLS should implement the same behavior; if a certificate doesn't
> support digitalSignature, then GnuTLS shouldn't try to use it in that
> way.  RSA key exchange is fine for what I need.

This cannot be done due to how SSL/TLS is designed. The certificate is
provided after the ciphersuite is negotiated, thus the client cannot do
anything in this issue. The server seems to be misconfigured to accept
the DHE* ciphersuites even if his certificate does not support it.

Gnutls servers shouldn't do this so if the server is based on gnutls
please report it as a bug.

regards,
Nikos





Information forwarded to debian-bugs-dist@lists.debian.org, Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>:
Bug#481132; Package libgnutls26. (Thu, 11 Jun 2009 09:09:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Simon Josefsson <simon@josefsson.org>:
Extra info received and forwarded to list. Copy sent to Debian GnuTLS Maintainers <pkg-gnutls-maint@lists.alioth.debian.org>. (Thu, 11 Jun 2009 09:09:06 GMT) Full text and rfc822 format available.

Message #38 received at 481132@bugs.debian.org (full text, mbox):

From: Simon Josefsson <simon@josefsson.org>
To: 481132@bugs.debian.org, "brian m. carlson" <sandals@crustytoothpaste.ath.cx>
Subject: Re: [Pkg-gnutls-maint] Bug#481132: libgnutls26: flags key usage error where OpenSSL does not
Date: Thu, 11 Jun 2009 11:05:47 +0200
severity 481132 wontfix
notforwarded 481132
thanks

"brian m. carlson" <sandals@crustytoothpaste.ath.cx> writes:

> Apparently OpenSSL doesn't try to use kEDH, and so it doesn't fail.
> GnuTLS should implement the same behavior; if a certificate doesn't
> support digitalSignature, then GnuTLS shouldn't try to use it in that
> way.  RSA key exchange is fine for what I need.

I looked into this further, and we cannot implement this for the reason
Nikos explained -- in TLS, the server chose the ciphersuite to use.  The
client cannot avoid advertising support for DHE ciphers based on the
server certificate, since it hasn't seen the server certificate when
sending the client hello.

We don't want to mimic OpenSSL's behaviour.  The reason OpenSSL works in
this situation is, if I understand correctly, because OpenSSL clients
list non-DHE ciphers as preferred over DHE ciphers.  So your server
would chose the non-DHE cipher by default, and things would work.  I
don't think that is a good idea from a security perspective.  GnuTLS
clients should advertise preference for DHE ciphers.  Finally, servers
shouldn't chose DHE ciphers if they cannot support.

As far as I can tell you have these options:

1) Reconfigure the server to not (incorrectly) announce support for DHE
ciphers.

2) Regenerate certificates with the digitalSignature bit set.

3) Report a bug against the server to make it avoid chose a DHE
ciphersuite when the certificate does not have the digitalSignature bit.

4) Configure the client to not prefer DHE ciphers over non-DHE ciphers.
This would mimic the OpenSSL behaviour, but does not enforce the
sub-optimal configuration on all GnuTLS users.  A GnuTLS priority string
"PERFORMANCE" is sufficient -- it prefers non-DHE ciphers over DHE
because non-DHE is faster.

I could be wrong somewhere, so please let me know if you see a way to
actually make things work better in your case without worsening security
for all users.

/Simon




Removed annotation that Bug had been forwarded to http://trac.gnutls.org/cgi-bin/trac.cgi/ticket/39. Request was from Simon Josefsson <simon@josefsson.org> to control@bugs.debian.org. (Thu, 11 Jun 2009 09:09:07 GMT) Full text and rfc822 format available.

Tags added: wontfix Request was from Simon Josefsson <simon@josefsson.org> to control@bugs.debian.org. (Thu, 11 Jun 2009 09:18:07 GMT) Full text and rfc822 format available.

Severity set to `normal' from `wishlist' Request was from Simon Josefsson <simon@josefsson.org> to control@bugs.debian.org. (Wed, 22 Jul 2009 22:06:05 GMT) Full text and rfc822 format available.

Changed Bug submitter to '"brian m. carlson" <sandals@crustytoothpaste.net>' from '"brian m. carlson" <sandals@crustytoothpaste.ath.cx>' Request was from "brian m. carlson" <sandals@crustytoothpaste.net> to control@bugs.debian.org. (Thu, 03 Feb 2011 20:51:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 23 17:45:08 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.