Bug#505279: libgnutls26: segfault in _gnutls_x509_crt_get_raw_dn2

Andreas Henriksson andreas at fatal.se
Tue Nov 11 15:58:32 UTC 2008


In hope that this information might be useful for tracking down the problem...

I can reproduce it with my self-signed certificate loaded in dovecot,
but not with my cacert-signed certificate.

If needed for debugging, I could give up my self-signed key since I could
stop using it without much hassle.


Information on Self-signed cert that mutt now crashes when opening
 imaps://localhost 
-------------------------------------------------------------------------

$ gnutls-cli -p 143 localhost --insecure -s
Resolving 'localhost'...
Connecting to '127.0.0.1:143'...

- Simple Client Mode:

* OK Dovecot ready.
. STARTTLS
. OK Begin TLS negotiation now.
*** Starting TLS handshake
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1032 bits
 - Secret key: 1012 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.

 - Certificate[0] info:
 # The hostname in the certificate does NOT match 'localhost'.
 # valid since: Sat Sep 27 20:15:43 CEST 2008
 # expires at: Tue Sep 25 20:15:47 CEST 2018
 # fingerprint: 1F:05:C4:56:0D:61:6F:63:E8:47:72:63:11:C8:78:0A
 # Subject's DN: C=SE,CN=fatal.se,EMAIL=hostmaster at fatal.se
 # Issuer's DN: C=SE,CN=fatal.se,EMAIL=hostmaster at fatal.se


- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL

. LOGOUT
* BYE Logging out
. OK Logout completed.
*** Fatal error: A TLS packet with unexpected length was received.
*** Server has terminated the connection abnormally.









Information on cacert signed certificate which does not cause mutt to crash:
-----------------------------------------------------------------------------


$ gnutls-cli -p 143 localhost --insecure -s
Resolving 'localhost'...
Connecting to '127.0.0.1:143'...

- Simple Client Mode:

* OK Dovecot ready.
. STARTTLS
. OK Begin TLS negotiation now.
*** Starting TLS handshake
- Ephemeral Diffie-Hellman parameters
 - Using prime: 1032 bits
 - Secret key: 1013 bits
 - Peer's public key: 1024 bits
- Certificate type: X.509
 - Got a certificate list of 1 certificates.

 - Certificate[0] info:
 # The hostname in the certificate does NOT match 'localhost'.
 # valid since: Tue Nov 11 16:00:28 CET 2008
 # expires at: Sun May 10 17:00:28 CEST 2009
 # fingerprint: 3E:62:44:BE:25:AC:BC:F2:AC:49:7B:CD:F4:60:E7:56
 # Subject's DN: CN=*.fatal.se
 # Issuer's DN: O=Root CA,OU=http://www.cacert.org,CN=CA Cert Signing Authority,EMAIL=support at cacert.org


- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL

. LOGOUT
* BYE Logging out
. OK Logout completed.
*** Fatal error: A TLS packet with unexpected length was received.
*** Server has terminated the connection abnormally.


-- 
Andreas Henriksson





More information about the Pkg-gnutls-maint mailing list