[gnutls-devel] Regression in gnutls-3.2.2: server accepts clients without a certificate

Petr Pisar petr.pisar at atlas.cz
Wed Aug 28 22:18:29 CEST 2013 

Hello,

I've found a regression between 3.2.1 and 3.2.2. `gnutls-serv -r' used to
refuse TLS clients without a valid certificate, this is not true in GnuTLS
3.2.2 anymore.

I tried to find the faulty commit in git tree, but server compiled from the
git tag gnutls_3_2_1 behaves differently then the one from 3.2.1 tar ball.

I observe the regression with my application that uses GnuTLS library too.

petr at album:~/gnutls-3.2.1/src $ ./gnutls-serv --http --x509cafile ~/projekty/libisds/libisds-devel/server/tls/ca.cert --x509keyfile ~/projekty/libisds/libisds-devel/server/tls/server.key --x509certfile ~/projekty/libisds/libisds-devel/server/tls/server.cert -p 1443 -r
Set static Diffie-Hellman parameters, consider --dhparams.
Processed 1 CA certificate(s).
HTTP Server listening on IPv4 0.0.0.0 port 1443...done
HTTP Server listening on IPv6 :: port 1443...done

* Accepted connection from IPv4 127.0.0.1 port 38986 on Wed Aug 28 22:10:50 2013
Error in handshake
Error: No certificate was found.


petr at album:~/gnutls-3.2.2/src $ ./gnutls-serv --http --x509cafile ~/projekty/libisds/libisds-devel/server/tls/ca.cert --x509keyfile ~/projekty/libisds/libisds-devel/server/tls/server.key --x509certfile ~/projekty/libisds/libisds-devel/server/tls/server.cert -p 1443 -r
Set static Diffie-Hellman parameters, consider --dhparams.
Processed 1 CA certificate(s).
HTTP Server listening on IPv4 0.0.0.0 port 1443...done
HTTP Server listening on IPv6 :: port 1443...done

* Accepted connection from IPv4 127.0.0.1 port 38997 on Wed Aug 28 22:11:58 2013

* Successful handshake from IPv4 127.0.0.1 port 38997
- Description: (TLS1.2-PKIX)-(ECDHE-RSA-SECP521R1)-(AES-256-GCM)-(AEAD)
- Session ID: D6:31:F4:FF:98:48:81:E5:4D:E7:F3:5B:8C:84:59:90:A5:9A:0E:49:B7:F7:3B:C6:A8:EE:40:45:A9:56:E0:82
No certificates found!
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP521R1
 - Curve size: 528 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA512
- Cipher: AES-256-GCM
- MAC: AEAD
- Compression: NULL
- Channel binding 'tls-unique': 2cd27becdddd69e754b4686c
- Peer did not send any certificate.


And the connection remains established.

For information, the git tag gnutls_3_2_1 output is:

petr at album:~/gnutls/src $ git describe --long
gnutls_3_2_1-0-g34ce019
petr at album:~/gnutls/src $ ./gnutls-serv --http --x509cafile ~/projekty/libisds/libisds-devel/server/tls/ca.cert --x509keyfile ~/projekty/libisds/libisds-devel/server/tls/server.key --x509certfile ~/projekty/libisds/libisds-devel/server/tls/server.cert -p 1443 -r
Set static Diffie-Hellman parameters, consider --dhparams.
Processed 1 CA certificate(s).
HTTP Server listening on IPv4 0.0.0.0 port 1443...done
HTTP Server listening on IPv6 :: port 1443...done

* Accepted connection from IPv4 127.0.0.1 port 38998 on Wed Aug 28 22:15:01 2013
Error in handshake
Error: Could not negotiate a supported cipher suite.


And the connection gets closed.

I used `openssl s_client -connect localhost:1443' as a TLS client.

-- Petr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
URL: </pipermail/attachments/20130828/3bf08a59/attachment.sig>

More information about the Gnutls-devel mailing list