Bug#403072: [Pkg-gnutls-maint] Re: Bug#403072: exim4-daemon-light fails to use equifax SSL cert/key obtained from "1&1" hosting

James Westby jw+debian at jameswestby.net
Thu Dec 14 19:44:55 CET 2006 

On (14/12/06 17:42), Marc Haber wrote:
> On Thu, Dec 14, 2006 at 05:22:33PM +0100, Felix Palmen wrote:
> > * Marc Haber <mh+debian-packages at zugschlus.de> [20061214 16:45]:
> > > Ok. Can you please install gnutls-bin and try starting gnutls-serv
> > > with the appropriate --x509keyfile and --x509certfile options. If that
> > > gives the same error message, we have a gnutls-issue and this bug
> > > needs to be reassigned appropriately.
> > 
> > You're right:
> > 
> > ---
> > photon:/etc/exim4# gnutls-serv --x509keyfile exim.key --x509certfile exim.crt 
> > Error reading 'exim.crt' or 'exim.key'
> > Error: Base64 decoding error.
> > ---
> > photon:/etc/exim4# openssl s_server -key exim.key -cert exim.crt
> > Using default temp DH parameters
> > Using default temp ECDH parameters
> > ACCEPT
> > ---

Hi,

Thanks for the report.

As you can imagine it is not easy for me to debug this problem without
more information than that from GnuTLS about what is wrong. As you
cannot provide the key, and working under the assumption that there will
be know help from the hosting company, there are a couple of things we
can try.

For a start I don't know how to create a Base64 encoded key, do you?

Could you first have a look at the key/cert files and see if they look
like normal base64 (I'm not sure whether the encoding to base64 is the
last layer or somewhere underneath). If they look like they are can you
try and decode them from base64. A failure might just mean that even
though it looks like base64 it isn't, but it might indicate a certificate
problem.

Assuming that that tells us nothing could I provide you with an
instrumented GnuTLS library that will reveal the real problem? Looking
at the code there are many points that will throw this error, so first
it would be good to know which one it is tripping up on. Then it would
be good to know what the actual problem is it is having with the files,
which might point to where the bug lies.

If I were going to provide this would you be happy to compile this for
yourself or would you like packages? The testing can be done on your
etch system if you like.

As for fixing this for etch I doubt whether that will happen I am
afraid. We are in the freeze now, and though we could perhaps get an
exception if we can provide a targeted fix there's no guarantee we would
even have found the bug by the time the release comes.

Thanks,

James

-- 
  James Westby   --    GPG Key ID: B577FE13    --     http://jameswestby.net/
  seccure key - (3+)k7|M*edCX/.A:n*N!>|&7U.L#9E)Tu)T0>AM - secp256r1/nistp256

More information about the Pkg-gnutls-maint mailing list