Bug#525962: libgnutls26 makes apt-transport-https fail with ssl key/cert client authentication
Simon Josefsson
simon at josefsson.org
Thu Jun 11 13:44:47 UTC 2009
Marco Amadori <amadorim at vdavda.com> writes:
>> Apache with mod_ssl or mod_gnutls?
>
> I'm sorry, I meant apache2-mpm-worker 2.2.9-10lenny2:
>
> # ldd /usr/sbin/apache2 | grep ssl
> libssl.so.0.9.8 => /usr/lib/libssl.so.0.9.8 (0x00007f140f9ec000)
> # ldd /usr/sbin/apache2 | grep tls
> libgnutls.so.26 => /usr/lib/libgnutls.so.26 (0x00007fe71c421000)
But what is your configuration for that particular apache virtual host?
If you use mod_gnutls it looks like:
GnuTLSEnable on
If you use mod_ssl it looks like:
SSLEngine on
>> Could you also generate a similar log for gnutls 2.6.x that works?
>
> Done, attached.
Thanks.
It seems clear that the v2.4.x client fails because of this:
|<2>| ASSERT: gnutls_cipher.c:514
|<4>| REC[942b510]: Short record length 10 > 16 - 20 (under attack?)
However this code has not changed compared to 2.6.x or even 2.8.x, so I
am not sure what happens.
Can you reproduce the problem using 'gnutls-cli your.host -p 443 -d
4711' plus the various X.509 parameters for the client key/cert? If so,
please post that log, it may be easier to parse, for both v2.4.x and
v2.6.x.
/Simon
More information about the Pkg-gnutls-maint
mailing list