iDevice GnuTLS issue with iOS 4.2 - libimobiledevice

Fri Nov 26 21:39:29 CET 2010

Hi,

On Wed, 24 Nov 2010 12:17:49 +0100
Nikos Mavrogiannopoulos <nmav at gnutls.org> wrote:

> On Wed, Nov 24, 2010 at 11:05 AM, Nikias Bassen <nikias at gmx.li> wrote:
> >> > if (SSL_CTX_use_certificate_file(ssl_ctx,
> >> >   "/path/to/certificate.pem",
> >> >   SSL_FILETYPE_PEM) != 1) {
> >> >     debug_info("WARNING: Could not load RootCertificate");
> >> > }
> >> > if (SSL_CTX_use_RSAPrivateKey_file(ssl_ctx,
> >> >   "/path/to/privatekey.pem",
> >> >   SSL_FILETYPE_PEM) != 1) {
> >> >     debug_info("WARNING: Could not load RootPrivateKey");
> >> > }
> >> > What is the equivalent to this when using gnutls?
> >> Check gnutls_certificate_set_x509_key_file() and the examples in the
> >> gnutls manual.
> > These functions are intended for the server, right? Remember we are on the
> > client side. Does that make any difference?
> 
> No. They are functions for the one that wants to use certificate (it can be
> either server or client). The only distinction between server and
> client in gnutls
> is being done in gnutls_init(). Most of the other functions are applicable to
> both unless they mention otherwise in the description.

I made dumps with OpenSSL (succeeding) and GnuTLS (failing) and found out that
the GnuTLS code fails because it can't find a certificate. It sends the
following packet to the device, instead of the certificate (like openssl does)

ssl_write(7) {
15 -- Alert
03 00 -- SSL3.0
00 02 -- Length
  01 -- Warning
  29 -- No Certificate
}

And this is why it fails, since the device wants to verify the peer (this
is new in iOS 4.2).

However, I set the certficate (and private key) with
gnutls_certificate_set_x509_key_file() with GNUTLS_X509_FMT_PEM:

[...]
        char *rootcert = g_build_path(G_DIR_SEPARATOR_S,
      g_get_user_config_dir(),
"libimobiledevice", "RootCertificate.pem", NULL);
        char *rootpkey = g_build_path(G_DIR_SEPARATOR_S,
g_get_user_config_dir(), "libimobiledevice", "RootPrivateKey.pem", NULL);
	// the paths are ok, double checked it. And OpenSSL is happy with them too.
[...]
        gnutls_global_init();
        gnutls_certificate_allocate_credentials(&ssl_data_loc->certificate);
        int res =
        gnutls_certificate_set_x509_key_file(ssl_data_loc->certificate,
           rootcert, rootpkey, GNUTLS_X509_FMT_PEM);
        printf("res=%d\n",res); // <-- returns 0
        gnutls_init(&ssl_data_loc->session, GNUTLS_CLIENT);
        {
                int protocol_priority[16] = { GNUTLS_SSL3, 0 };
                int kx_priority[16] = { GNUTLS_KX_ANON_DH, GNUTLS_KX_RSA, 0 };
                int cipher_priority[16] = { GNUTLS_CIPHER_AES_256_CBC, 0 };
                int mac_priority[16] = { GNUTLS_MAC_SHA1, GNUTLS_MAC_MD5, 0 };
                int comp_priority[16] = { GNUTLS_COMP_NULL, 0 };
                gnutls_cipher_set_priority(ssl_data_loc->session, cipher_priority);
                gnutls_compression_set_priority(ssl_data_loc->session, comp_priority);
                gnutls_kx_set_priority(ssl_data_loc->session, kx_priority);
                gnutls_protocol_set_priority(ssl_data_loc->session, protocol_priority);
                gnutls_mac_set_priority(ssl_data_loc->session, mac_priority);
        }
        gnutls_credentials_set(ssl_data_loc->session, GNUTLS_CRD_CERTIFICATE, ssl_data_loc->certificate);
[...]

Both files are in .pem format. Is this correct, and if so, is there any way
to debug this issue?

Greetings
Nikias