Bug#402863: [Pkg-gnutls-maint] Bug#402863: gnutls server requests wrong DNs from the client
On 2007/01/04 20:19, James Westby <[EMAIL PROTECTED]> wrote: > Do you have a strong desire for these patches to be in quickly/in > the sid version? Note that I can't promise anything, but if you do > then we can look in to it. I also don't think they qualify for an > update for etch at this point either. Two of these three bugs are able to render libgnutls unusable for most real world applications (the third bug can be worked around). Therefore I suggest that you include bug fixes in the etch distribution. However there is no need to hurry. I am already using my own patched packages; my problem is solved for now. Max -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#402863: [Pkg-gnutls-maint] Bug#402863: gnutls server requests wrong DNs from the client
On (04/01/07 09:21), Max Kellermann wrote: > On 2006/12/17 21:10, James Westby <[EMAIL PROTECTED]> wrote: > > Thanks for your work. I would like to see the response from upstream > > before we make any decision for Debian. (Same for the other patch as > > well.) > > Hi James, > > fyi, meanwhile Simon Josefsson has confirmed all three bug reports: > > http://lists.gnupg.org/pipermail/gnutls-dev/2006-December/001325.html > http://lists.gnupg.org/pipermail/gnutls-dev/2006-December/001326.html > http://lists.gnupg.org/pipermail/gnutls-dev/2006-December/001327.html > Thanks, I saw that. Normally we would just let these fixes in through the normal flow from upstream. They have just release a new stable version, which we are going to transition to after etch. I haven't looked at the CVS to see if these have been backported to the old stable branch that is in sid. Do you have a strong desire for these patches to be in quickly/in the sid version? Note that I can't promise anything, but if you do then we can look in to it. I also don't think they qualify for an update for etch at this point either. Thanks, James -- James Westby --GPG Key ID: B577FE13-- http://jameswestby.net/ seccure key - (3+)k7|M*edCX/.A:n*N!>|&7U.L#9E)Tu)T0>AM - secp256r1/nistp256 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#402863: [Pkg-gnutls-maint] Bug#402863: gnutls server requests wrong DNs from the client
On 2006/12/17 21:10, James Westby <[EMAIL PROTECTED]> wrote: > Thanks for your work. I would like to see the response from upstream > before we make any decision for Debian. (Same for the other patch as > well.) Hi James, fyi, meanwhile Simon Josefsson has confirmed all three bug reports: http://lists.gnupg.org/pipermail/gnutls-dev/2006-December/001325.html http://lists.gnupg.org/pipermail/gnutls-dev/2006-December/001326.html http://lists.gnupg.org/pipermail/gnutls-dev/2006-December/001327.html Max -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#402863: [Pkg-gnutls-maint] Bug#402863: gnutls server requests wrong DNs from the client
On (13/12/06 09:05), Max Kellermann wrote: > Package: libgnutls13 > Version: 1.4.4-3 > Tags: patch > > When running a service which requests the client to authenticate > itself with a client certificate, the gnutls server will send the > wrong CA DNs to the client. This prevents the client to select the > correct certificate. > > Instead of providing a list of trusted CA DNs, the gnutls server sends > a list of their issuers. This violates the SSL protocol specification > section 5.6.4. > > In the most basic setups (in which gnutls might have been tested?), > this is not a problem, since the client certificate is signed by the > self-signed root CA, which is by definition its own issuer. In a > complex real world setup, however, client authentication will not > work. > > I have reported this problem to upstream yesterday: > > http://lists.gnupg.org/pipermail/gnutls-dev/2006-December/001313.html > Hi, Thanks for your work. I would like to see the response from upstream before we make any decision for Debian. (Same for the other patch as well.) I just wanted to let you know your patches weren't being ignored. Thanks, James -- James Westby --GPG Key ID: B577FE13-- http://jameswestby.net/ seccure key - (3+)k7|M*edCX/.A:n*N!>|&7U.L#9E)Tu)T0>AM - secp256r1/nistp256 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Bug#402863: gnutls server requests wrong DNs from the client
Package: libgnutls13 Version: 1.4.4-3 Tags: patch When running a service which requests the client to authenticate itself with a client certificate, the gnutls server will send the wrong CA DNs to the client. This prevents the client to select the correct certificate. Instead of providing a list of trusted CA DNs, the gnutls server sends a list of their issuers. This violates the SSL protocol specification section 5.6.4. In the most basic setups (in which gnutls might have been tested?), this is not a problem, since the client certificate is signed by the self-signed root CA, which is by definition its own issuer. In a complex real world setup, however, client authentication will not work. I have reported this problem to upstream yesterday: http://lists.gnupg.org/pipermail/gnutls-dev/2006-December/001313.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]