Bug#579631: gnutls-bin: gnutls fails to base64 decode cert if header has additional space at EOL

Philipp Kolmann philipp at kolmann.at
Thu Apr 29 11:48:41 UTC 2010 

On 2010-04-29 12:54, Simon Josefsson wrote:
> severity 579631 wishlist
> thanks
>
> Philipp Kolmann<philipp at kolmann.at>  writes:
>
>    
>> Hi,
>>
>> I got a new cert for my servers and updated also the certs for exim for TLS.
>> With dovecot and Apache I never had any issues but exim failed to start tls:
>>
>> 2010-04-29 09:43:26 TLS error on connection from xxx.tuwien.ac.at (XXXX)
>>   [128.130.xx.xx] (cert/key setup: cert=/etc/exim4/exim.crt key=/etc/exim4/exim.k
>>   ey): Base64 decoding error.
>>
>> in the end I found out, that the header of the cert has an additional space
>> after the -----BEGIN CERTIFICATE----- and before the newline.
>>
>> gnutls fail then to decode the cert. openssl has no issues with the additinal
>> blank. Would it be possible to ignore this whitespace in gnutls as well?
>>      
> Hi!  Thanks for identifying this, it could explain some similar reports
> we've seen.  However I cannot reproduce this outside of exim, can you?
>    

yes. I found it with certtool...

> I tried running 'certtool<  foo' on a file 'foo' containing:
>
> -----BEGIN CERTIFICATE-----
> MIICVjCCAcGgAwIBAgIERiYdMTALBgkqhkiG9w0BAQUwGTEXMBUGA1UEAxMOR251
> VExTIHRlc3QgQ0EwHhcNMDcwNDE4MTMyOTIxWhcNMDgwNDE3MTMyOTIxWjA3MRsw
> GQYDVQQKExJHbnVUTFMgdGVzdCBzZXJ2ZXIxGDAWBgNVBAMTD3Rlc3QuZ251dGxz
> Lm9yZzCBnDALBgkqhkiG9w0BAQEDgYwAMIGIAoGA17pcr6MM8C6pJ1aqU46o63+B
> dUxrmL5K6rce+EvDasTaDQC46kwTHzYWk95y78akXrJutsoKiFV1kJbtple8DDt2
> DZcevensf9Op7PuFZKBroEjOd35znDET/z3IrqVgbtm2jFqab7a+n2q9p/CgMyf1
> tx2S5Zacc1LWn9bIjrECAwEAAaOBkzCBkDAMBgNVHRMBAf8EAjAAMBoGA1UdEQQT
> MBGCD3Rlc3QuZ251dGxzLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHQ8B
> Af8EBQMDB6AAMB0GA1UdDgQWBBTrx0Vu5fglyoyNgw106YbU3VW0dTAfBgNVHSME
> GDAWgBTpPBz7rZJu5gakViyi4cBTJ8jylTALBgkqhkiG9w0BAQUDgYEAaFEPTt+7
> bzvBuOf7+QmeQcn29kT6Bsyh1RHJXf8KTk5QRfwp6ogbp94JQWcNQ/S7YDFHglD1
> AwUNBRXwd3riUsMnsxgeSDxYBfJYbDLeohNBsqaPDJb7XailWbMQKfAbFQ8cnOxg
> rOKLUQRWJ0K3HyXRMhbqjdLIaQiCvQLuizo=
> -----END CERTIFICATE-----
>
> but it worked fine.
>    


if you put the blank in the first line it still crashes.

attached the cert file, which crashes here with me:

pkolmann at wspk:~$ certtool -i < test.crt
|<1>| Could not find '-----
'
certtool: import error: Base64 unexpected header error.

thanks
Philipp

-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.crt
Type: application/x-x509-ca-cert
Size: 873 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20100429/e2cbb79e/attachment.crt>

More information about the Pkg-gnutls-maint mailing list