Debian Bug report logs - #578663
libapache2-mod-gnutls: GnuTLSClientVerify require is ignored.

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Le Trong <emmanuel.le-trong@cnrs-orleans.fr>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libapache2-mod-gnutls: GnuTLSClientVerify require is ignored.

Date: Wed, 21 Apr 2010 18:05:58 +0200

Package: libapache2-mod-gnutls
Version: 0.5.6-1
Severity: normal


This is a known bug, a patch exists at the author's issue-tracking system: http://issues.outoforder.cc/view.php?id=93

Quoting from this source: "Despite having set "GnuTLSClientVerify require" in my Apache config, the server doesn't request client certificates from the browser, but lets it in without certificates."

AFAIK version 0.5.1 (lenny) is also affected. 




-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-3-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libapache2-mod-gnutls depends on:
ii  libc6                         2.10.2-6   Embedded GNU C Library: Shared lib
ii  libgnutls26                   2.8.6-1    the GNU TLS library - runtime libr

libapache2-mod-gnutls recommends no packages.

libapache2-mod-gnutls suggests no packages.

-- no debconf information

Message #10 received at 578663@bugs.debian.org (full text, mbox, reply):

From: Thomas Klute <thomas2.klute@uni-dortmund.de>

To: 578663@bugs.debian.org

Subject: Re: libapache2-mod-gnutls: GnuTLSClientVerify require is ignored.

Date: Tue, 17 Feb 2015 15:53:17 +0100

[Message part 1 (text/plain, inline)]

Package: libapache2-mod-gnutls
Version: 0.5.10-1.1
Followup-For: Bug #578663

This bug still exists in current stable and unstable packages. I have
analyzed the problem and found that the authentication hook
(mgs_hook_authz) failed to consider the server's client verify mode,
even if the verify mode was unset in the directory configuration. As a
result, invalid certificates were ignored and clients could connect and
receive data as long as they presented any certificate whatsoever. The
logs show that the certificate was recognized as invalid, but the
request is still served.

[debug] gnutls_hooks.c(1181): [client 127.0.0.1] GnuTLS: A Chain of 1
certificate(s) was provided for validation
[debug] gnutls_hooks.c(1236): [client 127.0.0.1] GnuTLS: Verifying list
of  1 certificate(s)
[info] [client 127.0.0.1] GnuTLS: Could not find Signer for Peer Certificate
[info] [client 127.0.0.1] GnuTLS: Peer Certificate is invalid.

The attached patch applies to the version in stable, commit
5a8a32bbfb8a83fe6358c5c31c443325a7775fc2 in my git repository [1] should
work for the unstable version. Functionally, they are identical, but
apparently indentation changed between the two versions.

Since this bug makes required TLS client auth effectively worthless, I
consider it a security issue.

[1]
https://github.com/airtower-luna/mod_gnutls/commit/5a8a32bbfb8a83fe6358c5c31c443325a7775fc2

-- System Information:
Debian Release: 7.8
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libapache2-mod-gnutls depends on:
ii  libapr-memcache0  0.7.0-1
ii  libc6             2.13-38+deb7u7
ii  libgnutls26       2.12.20-8+deb7u2

libapache2-mod-gnutls recommends no packages.

libapache2-mod-gnutls suggests no packages.

-- Configuration Files:
/etc/apache2/sites-available/default-tls changed [not included]

-- no debconf information

[0001-TLS-Client-auth-Check-server-verify-mode-if-unset-fo.patch (text/x-patch, attachment)]

Message #17 received at 578663-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Klute <thomas2.klute@uni-dortmund.de>

To: 578663-close@bugs.debian.org

Subject: Bug#578663: fixed in mod-gnutls 0.6-1.3

Date: Sun, 22 Feb 2015 15:21:19 +0000

Source: mod-gnutls
Source-Version: 0.6-1.3

We believe that the bug you reported is fixed in the latest version of
mod-gnutls, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 578663@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Klute <thomas2.klute@uni-dortmund.de> (supplier of updated mod-gnutls package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 20 Feb 2015 19:01:54 +0100
Source: mod-gnutls
Binary: libapache2-mod-gnutls
Architecture: source amd64
Version: 0.6-1.3
Distribution: unstable
Urgency: medium
Maintainer: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Changed-By: Thomas Klute <thomas2.klute@uni-dortmund.de>
Description:
 libapache2-mod-gnutls - Apache module for SSL and TLS encryption with GnuTLS
Closes: 578663
Changes:
 mod-gnutls (0.6-1.3) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Fix "GnuTLSClientVerify require is ignored", check server wide
     GnuTLSClientVerify if not set for directory (Closes: #578663)
Checksums-Sha1:
 0a7e6702c608c035b4133da36be76fcf6268ae62 1639 mod-gnutls_0.6-1.3.dsc
 47f84be9d14ed8a43a3455b6f91c9732ba30b31f 19176 mod-gnutls_0.6-1.3.debian.tar.xz
 92912bc04cf0eebff1847dd5ed3ce80c1efd7ab5 46088 libapache2-mod-gnutls_0.6-1.3_amd64.deb
Checksums-Sha256:
 4e8b6c499007cd6ec77c8030361b780d2258865a669ffef51c9d1fc19b5c7b44 1639 mod-gnutls_0.6-1.3.dsc
 098c262972e49a8d35a21c804c86e5d7967a50d7731fd51ecb4f7ac84825beab 19176 mod-gnutls_0.6-1.3.debian.tar.xz
 77638cf280d3f859c6272425b875dec3489fbf10c641dd4a3a1b3194eb8849b9 46088 libapache2-mod-gnutls_0.6-1.3_amd64.deb
Files:
 9b3cebda86f1fc973d3472dfc8707ce6 1639 httpd extra mod-gnutls_0.6-1.3.dsc
 3a94bc456970c68638a92a3a46589929 19176 httpd extra mod-gnutls_0.6-1.3.debian.tar.xz
 85ae0677d587a55b650783eccbadd33f 46088 httpd extra libapache2-mod-gnutls_0.6-1.3_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJU6fG9AAoJEBC+iYPz1Z1k4XsH/0g1S0OJKAK9lrVKUWy5Ov75
bSKFFycWe/7vWTOT3/qFblKNariPLsa9y4DF2edhiTpCDU8OwqIGhD9Lhy41Ny5m
iX+4cLLqR/EjRUv7SfZ6+Kub8yQwTstXmjMmB51lNJsFTSE++C0ttwjZTTaL3YTB
VZpUzTj4e+TF6ZOwqPgpBjFwl57Om+LZ3BoXlBs/zQGZnYNDTFaHigZ6sU9XwYzn
Ief6jGBVE7rQmJS+qmZMrsBesl8EuqH0KM+l5yb/0Pi9m6h9JlqL2U9KA0yQ+1LA
r0/PZxBbS/8JNwASb1Z2L/Ek3QB7vHFbeqorasYikVsRlWiSyCFxoRIflZLNd7s=
=fcwH
-----END PGP SIGNATURE-----

Message #22 received at 578663@bugs.debian.org (full text, mbox, reply):

From: Raphael Hertzog <hertzog@debian.org>

To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Thomas Klute <thomas2.klute@uni-dortmund.de>

Cc: debian-lts@lists.debian.org, 578663@bugs.debian.org

Subject: squeeze update of mod-gnutls?

Date: Tue, 24 Feb 2015 18:10:46 +0100

Hello dear maintainer(s),

the Debian LTS team would like to fix the security issues which are
currently open in the Squeeze version of mod-gnutls:
https://security-tracker.debian.org/tracker/source-package/mod-gnutls

Would you like to take care of this yourself? We are still understaffed so
any help is always highly appreciated.

If yes, please follow the workflow we have defined here:
http://wiki.debian.org/LTS/Development

If that workflow is a burden to you, feel free to just prepare an
updated source package and send it to debian-lts@lists.debian.org
(via a debdiff, or with an URL pointing to the the source package,
or even with a pointer to your packaging repository), and the members
of the LTS team will take care of the rest. Indicate clearly whether you
have tested the updated package or not.

If you don't want to take care of this update, it's not a problem, we
will do our best with your package. Just let us know whether you would
like to review and/or test the updated package before it gets released.

Thank you very much.

Raphaël Hertzog,
  on behalf of the Debian LTS team.

PS: A member of the LTS team might start working on this update at
any point in time. You can verify whether someone is registered
on this update in this file:
https://anonscm.debian.org/viewvc/secure-testing/data/dla-needed.txt?view=markup
-- 
Raphaël Hertzog ◈ Debian Developer

Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/

Message #27 received at 578663-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Klute <thomas2.klute@uni-dortmund.de>

To: 578663-close@bugs.debian.org

Subject: Bug#578663: fixed in mod-gnutls 0.5.10-1.1+deb7u1

Date: Wed, 11 Mar 2015 22:47:10 +0000

Source: mod-gnutls
Source-Version: 0.5.10-1.1+deb7u1

We believe that the bug you reported is fixed in the latest version of
mod-gnutls, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 578663@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Klute <thomas2.klute@uni-dortmund.de> (supplier of updated mod-gnutls package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 21 Feb 2015 22:04:59 +0100
Source: mod-gnutls
Binary: libapache2-mod-gnutls
Architecture: source amd64
Version: 0.5.10-1.1+deb7u1
Distribution: wheezy-security
Urgency: high
Maintainer: Jack Bates <ms419@freezone.co.uk>
Changed-By: Thomas Klute <thomas2.klute@uni-dortmund.de>
Description: 
 libapache2-mod-gnutls - Apache module for SSL and TLS encryption with GnuTLS
Closes: 578663
Changes: 
 mod-gnutls (0.5.10-1.1+deb7u1) wheezy-security; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix "GnuTLSClientVerify require is ignored", check server wide
     GnuTLSClientVerify if not set for directory (Closes: #578663)
Checksums-Sha1: 
 2f6938e9d4bb7f99d125e860b92579dd80b12639 1658 mod-gnutls_0.5.10-1.1+deb7u1.dsc
 4c341668f727b939af5d382ccabc5b5568bcfcad 245958 mod-gnutls_0.5.10.orig.tar.bz2
 e28bd4e4ec749d475b6ce84107166bd7092368d8 4563 mod-gnutls_0.5.10-1.1+deb7u1.debian.tar.gz
 4e424da00ed04e2b3bb3992c4e66fe4fd6715b87 32088 libapache2-mod-gnutls_0.5.10-1.1+deb7u1_amd64.deb
Checksums-Sha256: 
 50e9db4066d16cc1a90549a43b69cc5b324cc42936c8c6fb9d06107d88dcbc69 1658 mod-gnutls_0.5.10-1.1+deb7u1.dsc
 469fea5f2f422c459b4153c1b959d5d62568d3ddf87f90ca6fe880c81b3b8374 245958 mod-gnutls_0.5.10.orig.tar.bz2
 6db746b8b8b7fb565e7c8bc96282a03794477956ebe1f7f3a02861c9830be0b9 4563 mod-gnutls_0.5.10-1.1+deb7u1.debian.tar.gz
 dcded73029a6c772bb6db873ce6c9bd8e837aa8c7a516315b8fde057575c1c5b 32088 libapache2-mod-gnutls_0.5.10-1.1+deb7u1_amd64.deb
Files: 
 fe2ce8ade2f3946b99af2a910a312030 1658 httpd extra mod-gnutls_0.5.10-1.1+deb7u1.dsc
 53fd571080b16333d3a4550b8477bf3c 245958 httpd extra mod-gnutls_0.5.10.orig.tar.bz2
 2d518125e8ca0582f71b42b68f125514 4563 httpd extra mod-gnutls_0.5.10-1.1+deb7u1.debian.tar.gz
 04bba164d78fdf8a66f5e072ce7bdf50 32088 httpd extra libapache2-mod-gnutls_0.5.10-1.1+deb7u1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJU6gTyAAoJEBC+iYPz1Z1kM7kH/1wWytg+9vZwxgV6Y3Z8uDsa
F1OJ5xzKBh5KIqR0zrfuaUqfBqvXzhj/LUmBlbiILPa0eJXX+runwkFYfVpQ6Rej
R3hpzzqnyEjMAw57xCEpsYsDrLdYWhQCry+JG7fTtaIW2Qz6XQTNHg/Gy+KrOknZ
Rig5nLVqvVITFR64ifXFRJ8kaqwpua8gCay4HFIHqe9u67Nq1uHe5DiujP8J04ju
zkHIeuShArwa8wHjKI7wsiFhVuMcrBKgFkubG1zVLKr+Q1ub9cGZ4zaTkAzR0gQ4
2+JmODk+k/Zgj85wwBvGpgJu9v2xkLaV5AwPhg7cRy+mAVZQ5oa8kbDvZb5BMPk=
=/scz
-----END PGP SIGNATURE-----

Message #32 received at 578663-close@bugs.debian.org (full text, mbox, reply):

From: Thorsten Alteholz <debian@alteholz.de>

To: 578663-close@bugs.debian.org

Subject: Bug#578663: fixed in mod-gnutls 0.5.6-1+squeeze2

Date: Sat, 14 Mar 2015 16:19:09 +0000

Source: mod-gnutls
Source-Version: 0.5.6-1+squeeze2

We believe that the bug you reported is fixed in the latest version of
mod-gnutls, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 578663@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated mod-gnutls package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 14 Mar 2015 15:04:59 +0100
Source: mod-gnutls
Binary: libapache2-mod-gnutls
Architecture: source i386
Version: 0.5.6-1+squeeze2
Distribution: squeeze-lts
Urgency: high
Maintainer: Jack Bates <ms419@freezone.co.uk>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Description: 
 libapache2-mod-gnutls - Apache module for SSL and TLS encryption with GnuTLS
Closes: 578663
Changes: 
 mod-gnutls (0.5.6-1+squeeze2) squeeze-lts; urgency=high
 .
   * Non-maintainer upload by the Squeeze LTS Team.
   * Fix "GnuTLSClientVerify require is ignored", check server wide
     GnuTLSClientVerify if not set for directory (Closes: #578663)
Checksums-Sha1: 
 64741b3a1589157eddc779475baad09890de90a0 1761 mod-gnutls_0.5.6-1+squeeze2.dsc
 5ebc8db4c3d5a45d3480d823e88b9365dfe7b169 328850 mod-gnutls_0.5.6-1+squeeze2.tar.gz
 db79fbffcbeff441ebe7ef2eb593d538fc07b0ca 28012 libapache2-mod-gnutls_0.5.6-1+squeeze2_i386.deb
Checksums-Sha256: 
 5ca917ee10bc4cb0249ab79cf86a9bb2960e3432fb94e01f92d8d4ad5238ad6c 1761 mod-gnutls_0.5.6-1+squeeze2.dsc
 6b176caae42a0454738cd0da3fb126d2dafd06ddba04ec66811e6a04a65b3b3d 328850 mod-gnutls_0.5.6-1+squeeze2.tar.gz
 4a26075fe1d006350c2c783e537c1a2811f3cc5e64b486f456f8699c5e8dec45 28012 libapache2-mod-gnutls_0.5.6-1+squeeze2_i386.deb
Files: 
 cfd70a2f86f10371451c18d7624b9023 1761 httpd extra mod-gnutls_0.5.6-1+squeeze2.dsc
 403e0d506682dc9e77af9bc76eb8d906 328850 httpd extra mod-gnutls_0.5.6-1+squeeze2.tar.gz
 603759e5db9d58d0d250daafd00b5e03 28012 httpd extra libapache2-mod-gnutls_0.5.6-1+squeeze2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQJ8BAEBCgBmBQJVBF47XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2MjAxRkJGRkRCQkRFMDc4MjJFQUJCOTY5
NkZDQUMwRDM4N0I1ODQ3AAoJEJb8rA04e1hHzegP/AiQAFWSKgESoEI0Uc+9SYI8
YEkM5LjYGkHJgWXVjTu/+ZIZnIlPui6VtTBtp0JsbDy18SKUNiPoHzXGNsK4UAU+
PzVsEm6IqiEPgAabiIXYvbyqhclbyG8Efd0XB1S3hYceG82ytc9zH63DWERJR1IO
WPp68GZyE6wO34r0CeLvTuahxjbeByvZA4POKwwALHpiqT2dghYruxOsA3HK0yG8
7R277bOem+brpmj8m7vp/AuE3X/AodsDm46zyrfel3VDUBJ5dg41YGugg4Rp6VSa
zY9tdyzI52IqFQGK2fn8UEj2Af5Wnvw52GtSlmq+ekLCv+J/YAURLyvrwlH4qz6P
XDpyzkKtGPxEE3z/UmLcu2vKR5V/2ucCPVrlcUt8F0R4nZSSxBu4Mp+/yc3wOzVA
D4/yogBWqSLVyw0DOKN2OEdP/7ARn2C5qcI/sEkBtLliMuX8WqJnanByK91M7/At
vIAXmqF+FtdV4ezFbV300C85zEExeEaa4kpx0rqMMCflhf0wec+RPFK8UJ3QoXNo
oEXKJ9mAFHDG65h6qksrYPX5fniZ/nR8UXcB9GPkGS1Vzmz0M6hA1EEf3vG0hyz5
EUs6E3GjrIr+T6w+bp4Ul1xIh6Q7pxXZ+oPEeD/cAKuZubJMS6v986v93G/5OPun
ZNm4sdd/j8HIFq5biCWw
=O20n
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.