Package: libgnutls26 Version: 2.4.2-1 Severity: normal I'm a novice when it comes to dealing with certificates, so don't hestitate to let me know if this bug is missing some important information.
There's a long-open bug reported against subversion, #480041. This appears to have surfaced when subversion began using libneon26-gnutls instead of openssl for PKCS12 certs. I took a shot at debugging this, and it looks like the problem first arises when libgnutls calls into libtasn1-3 to decode the ASN.1-encoded PKCS12 file. asn1_der_decoding() eventually bails out, causing an error to be propagated up the stack. troyh and I think we've found a way to simplify the demonstration of this problem outside of subversion by using certtool: 1) Follow the instructions for creating a pkcs12 cert that google found for me on this page: http://hausheer.osola.com/docs/9 2) Run: $ certtool --p12-info --infile /tmp/client.p12 --inraw (To demonstrate that we can process this cert) 3) Imported the cert into iceweasel (aka firefox) 4) Use the "backup" feature in iceweasel to dump the cert back out to another .p12 file 5) Run: $ certtool --p12-info --infile /tmp/backup.p12 --inraw This time, we see an error: date size is 1822 certtool: p12_import: ASN1 parser: Error in TAG. Obviously, this doesn't prove that this is a bug in gnutls. It could very well be that firefox is exporting a bad cert. However, openssl seems to handle the firefox-exported certs just fine, as seen in: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480041#130 That suggests to me that this bug likely lies either in gnutls or libtasn. I'm filing a new bug instead of reassigning the subversion one because subversion could theoretically fix the problem by reverting back to openssl. -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: ia64 Kernel: Linux 2.6.26-1-mckinley (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages libgnutls26 depends on: ii libc6.1 2.7-15 GNU C Library: Shared libraries ii libgcrypt11 1.4.1-1 LGPL Crypto library - runtime libr ii libgpg-error0 1.4-2 library for common error values an ii libtasn1-3 1.5-1 Manage ASN.1 structures (runtime) ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime libgnutls26 recommends no packages. Versions of packages libgnutls26 suggests: ii gnutls-bin 2.4.2-1 the GNU TLS library - commandline -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]