Bug#790750: [curl] HTTPS client certificates don't work anymore

Wed, 01 Jul 2015 06:58:13 -0700 

The relevant usage information of the client cert are:

|       |       subjectPublicKeyInfo
|       |       |       algorithm (rsaEncryption)
|       |       |       |       Algorithm Id: 1.2.840.113549.1.1.1 
(rsaEncryption)
|       |       |       Padding: 0
|       |       |       subjectPublicKey: ...
|       |       extensions: 4 items
|       |       |       Extension (id-ce-cRLDistributionPoints)
|       |       |       |       Extension Id: 2.5.29.31 
(id-ce-cRLDistributionPoints)
|       |       |       |       CRLDistPointsSyntax: 1 item
|       |       |       Extension (id-ce-basicConstraints)
|       |       |       |       Extension Id: 2.5.29.19 (id-ce-basicConstraints)
|       |       |       |       BasicConstraintsSyntax [0 length]
|       |       |       Extension (id-ce-keyUsage)
|       |       |       |       Extension Id: 2.5.29.15 (id-ce-keyUsage)
|       |       |       |       Padding: 5
|       |       |       |       KeyUsage: e0 (digitalSignature, 
contentCommitment, keyEncipherment)
|       |       |       |       |       1... .... = digitalSignature: True
|       |       |       |       |       .1.. .... = contentCommitment: True
|       |       |       |       |       ..1. .... = keyEncipherment: True
|       |       |       |       |       ...0 .... = dataEncipherment: False
|       |       |       |       |       .... 0... = keyAgreement: False
|       |       |       |       |       .... .0.. = keyCertSign: False
|       |       |       |       |       .... ..0. = cRLSign: False
|       |       |       |       |       .... ...0 = encipherOnly: False
|       |       |       |       |       0... .... = decipherOnly: False
|       |       |       Extension (id-ce-extKeyUsage)
|       |       |       |       Extension Id: 2.5.29.37 (id-ce-extKeyUsage)
|       |       |       |       KeyPurposeIDs: 1 item
|       |       |       |       |       KeyPurposeId: 1.3.6.1.5.5.7.3.2 
(id-kp-clientAuth)
|       algorithmIdentifier (shaWithRSAEncryption)

 

I've also tested a key from startssl. Here it seems to work to submit the key. 
The relevant parts are

|       |       |       |       |       |       subjectPublicKeyInfo
|       |       |       |       |       |       |       algorithm 
(rsaEncryption)
|       |       |       |       |       |       |       |       Algorithm Id: 
1.2.840.113549.1.1.1 (rsaEncryption)
|       |       |       |       |       |       |       Padding: 0
|       |       |       |       |       |       |       subjectPublicKey: ...
|       |       |       |       |       |       extensions: 10 items
|       |       |       |       |       |       |       Extension 
(id-ce-basicConstraints)
|       |       |       |       |       |       |       |       Extension Id: 
2.5.29.19 (id-ce-basicConstraints)
|       |       |       |       |       |       |       |       
BasicConstraintsSyntax [0 length]
|       |       |       |       |       |       |       Extension 
(id-ce-keyUsage)
|       |       |       |       |       |       |       |       Extension Id: 
2.5.29.15 (id-ce-keyUsage)
|       |       |       |       |       |       |       |       Padding: 4
|       |       |       |       |       |       |       |       KeyUsage: b0 
(digitalSignature, keyEncipherment, dataEncipherment)
|       |       |       |       |       |       |       |       |       1... 
.... = digitalSignature: True
|       |       |       |       |       |       |       |       |       .0.. 
.... = contentCommitment: False
|       |       |       |       |       |       |       |       |       ..1. 
.... = keyEncipherment: True
|       |       |       |       |       |       |       |       |       ...1 
.... = dataEncipherment: True
|       |       |       |       |       |       |       |       |       .... 
0... = keyAgreement: False
|       |       |       |       |       |       |       |       |       .... 
.0.. = keyCertSign: False
|       |       |       |       |       |       |       |       |       .... 
..0. = cRLSign: False
|       |       |       |       |       |       |       |       |       .... 
...0 = encipherOnly: False
|       |       |       |       |       |       |       |       |       0... 
.... = decipherOnly: False
|       |       |       |       |       |       |       Extension 
(id-ce-extKeyUsage)
|       |       |       |       |       |       |       |       Extension Id: 
2.5.29.37 (id-ce-extKeyUsage)
|       |       |       |       |       |       |       |       KeyPurposeIDs: 
2 items
|       |       |       |       |       |       |       |       |       
KeyPurposeId: 1.3.6.1.5.5.7.3.2 (id-kp-clientAuth)
|       |       |       |       |       |       |       |       |       
KeyPurposeId: 1.3.6.1.5.5.7.3.4 (id-kp-emailProtection)
|       |       |       |       |       |       |       Extension 
(id-ce-subjectKeyIdentifier)
|       |       |       |       |       |       |       |       Extension Id: 
2.5.29.14 (id-ce-subjectKeyIdentifier)
|       |       |       |       |       |       |       |       
SubjectKeyIdentifier: bb5a39bb699ba8db7a1732e4c31342d2eb43ec0b
|       |       |       |       |       |       |       Extension 
(id-ce-authorityKeyIdentifier)
|       |       |       |       |       |       |       |       Extension Id: 
2.5.29.35 (id-ce-authorityKeyIdentifier)
|       |       |       |       |       |       |       |       
AuthorityKeyIdentifier
|       |       |       |       |       |       |       Extension 
(id-ce-subjectAltName)
|       |       |       |       |       |       |       |       Extension Id: 
2.5.29.17 (id-ce-subjectAltName)
|       |       |       |       |       |       |       |       GeneralNames: 1 
item
|       |       |       |       |       |       |       Extension 
(id-ce-certificatePolicies)
|       |       |       |       |       |       |       |       Extension Id: 
2.5.29.32 (id-ce-certificatePolicies)
|       |       |       |       |       |       |       |       
CertificatePoliciesSyntax: 1 item
|       |       |       |       |       |       |       Extension 
(id-ce-cRLDistributionPoints)
|       |       |       |       |       |       |       |       Extension Id: 
2.5.29.31 (id-ce-cRLDistributionPoints)
|       |       |       |       |       |       |       |       
CRLDistPointsSyntax: 1 item
|       |       |       |       |       |       |       Extension 
(id-pe-authorityInfoAccessSyntax)
|       |       |       |       |       |       |       |       Extension Id: 
1.3.6.1.5.5.7.1.1 (id-pe-authorityInfoAccessSyntax)
|       |       |       |       |       |       |       |       
AuthorityInfoAccessSyntax: 2 items
|       |       |       |       |       |       |       Extension 
(id-ce-issuerAltName)
|       |       |       |       |       |       |       |       Extension Id: 
2.5.29.18 (id-ce-issuerAltName)
|       |       |       |       |       |       |       |       GeneralNames: 1 
item
|       |       |       |       |       algorithmIdentifier 
(sha256WithRSAEncryption)
|       |       |       |       |       |       Algorithm Id: 
1.2.840.113549.1.1.11 (sha256WithRSAEncryption)
|       |       |       |       |       Padding: 0


What comes to my eyes are that startssl disables 
contentCommitment and enables 
dataEncipherment. They also have extra purposes: 
id-kp-emailProtection

But these should not be relevant for client certificates when using HTTPS.


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to