Bug 1321112

Summary: DHE_DSS ciphers don't work with client certificates and OpenSSL using TLSv1.2
Product: Red Hat Enterprise Linux 6 Reporter: Alicja Kario <hkario>
Component: gnutlsAssignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED ERRATA QA Contact: Alicja Kario <hkario>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.8CC: szidek
Target Milestone: rcKeywords: Rebase
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gnutls-2.12.23-2.el6 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-21 09:03:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1269239    
Bug Blocks: 1339222, 1343211    
Attachments:
Description Flags
test certificates none

Description Alicja Kario 2016-03-24 16:58:01 UTC 
Created attachment 1140055 [details]
test certificates

Description of problem:
GnuTLS clients and servers can't communicate with OpenSSL using DSA client certificates

Version-Release number of selected component (if applicable):
gnutls-2.8.5-19.el6_7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. tar xzf certificates.tar.gz
2. openssl s_server -key 1024dsa-server/key.pem -cert 1024dsa-server/cert.pem -CAfile <(cat ca/cert.pem 1024dsa-ca/cert.pem) -cipher DSS -Verify 1
3. gnutls-cli --x509cafile ca/cert.pem --x509keyfile 1024dsa-client/key.pem --x509certfile 1024dsa-client/cert.pem --protocols TLS1.1 TLS1.2 -p 4433 localhost

alternatively:
2. gnutls-serv --echo -p 4433 --protocols TLS1.0 TLS1.1 TLS1.2 --x509keyfile 1024dsa-server/key.pem --x509certfile <(cat 1024dsa-server/cert.pem 1024dsa-ca/cert.pem) --x509cafile <(cat ca/cert.pem 1024dsa-ca/cert.pem) --require-cert
3. openssl s_client -CAfile ca/cert.pem -cipher DHE-DSS-AES128-SHA256 -key 1024dsa-client/key.pem -cert 1024dsa-client/cert.pem -connect localhost:4433 

Actual results:
From OpenSSL client:
139801902708552:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1259:SSL alert number 80
139801902708552:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:

From gnutls server:
Error: Public key signature verification has failed.

From OpenSSL server:
139701378676552:error:0A071003:dsa routines:DSA_do_verify:BN lib:dsa_ossl.c:425:
139701378676552:error:1408807B:SSL routines:SSL3_GET_CERT_VERIFY:bad signature:s3_srvr.c:3061:

From gnutls client:
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [51]: Decrypt error
*** Handshake has failed
GNUTLS ERROR: A TLS fatal alert has been received.


Expected results:
Connection successful

Additional info:
Using TLS1.1 makes the connection proceed as normal.
The certificates are signed with SHA-1
Comment 4 Nikos Mavrogiannopoulos 2016-08-09 14:39:43 UTC 
Both these handshakes involve signing with DSA and other algorithm than SHA1.
This is not something defined by TLS, and it seems the implementations are not interoperable on that. I do not really think we should bother with that algorithm; I'll instead prohibit DSA to be used with anything else than SHA1.

<3>| HSK[0x10bf310]: verify handshake data: using DSA-SHA256
|<3>| HSK[0x133a470]: signing handshake data: using DSA-SHA256
Comment 5 Nikos Mavrogiannopoulos 2016-08-10 07:42:31 UTC 
Resolved by disabling DSA-SHA224 and DSA-256 completely on the libgcrypt backend. It seems to be broken.
Comment 10 errata-xmlrpc 2017-03-21 09:03:01 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2017-0574.html