Problems with specific certificate/key (Debian Bug #426013)

Simon Josefsson simon at
Fri Jan 4 12:27:50 CET 2008

Marc Haber <mh+gnutls-devel at> writes:

> Hi,
> Simon Josefsson has suggested to me (a member of the maintainer team
> for Exim's packages for the Debian Operating System) that it might be
> a good idea to move a technical debate from our blogs
> (,
> to gnutls-devel as this list is a better medium for archived discussion.
> I'll send a dedicated mail for each of Debian's bug reports, so that
> the threads are not going to intermix.
> Debian Bug #426013,
> =================================================
> Simon writes:
>> Appears to be an unreprodicible problem with a specific
>> certificate/key which the user cannot reveal. Another certificate/key
>> from the same CA works fine. Theory: could it be CRLF problems? Other
>> non-ASCII characters in the file? Nothing indicates a real GnuTLS
>> problem here.
>> Conclusion: Likely not a GnuTLS problem.
> I think that this conclusion was built too fast, but we do not have
> sufficient information to know this.
> The original reporter has said in the mean time that there are no
> non-ascii chars in the file and that there are no CRLF issues here.
> Currently, it is suspected that GnuTLS has issues with the fact that
> the certificate is a wildcard certificate.

The error message 'base64 decoding' error suggests decoding fails early
-- before gnutls has a chance of knowing whether it is a wildcard
certificate or not.  So I believe that conclusion is most likely wrong.
The code in question in exim4 is:

if (cert_expanded != NULL)
  DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
    cert_expanded, key_expanded);
  rc = gnutls_certificate_set_x509_key_file(x509_cred, CS cert_expanded,
    CS key_expanded, GNUTLS_X509_FMT_PEM);
  if (rc < 0)
    uschar *msg = string_sprintf("cert/key setup: cert=%s key=%s",
      cert_expanded, key_expanded);
    return tls_error(msg, host, rc);

Note how the error message in the report subtly differ from what's in
the source code (s/setup/set up/), which seems strange but may be due to

I have asked the original submitter a few questions in the bug report.


More information about the Gnutls-devel mailing list