Bug 1404084

Summary:	GnuTLS 3.5.7-1 broke reading my private key
Product:	[Fedora] Fedora	Reporter:	Brandon Bennett <bbennett>
Component:	gnutls	Assignee:	Nikos Mavrogiannopoulos <nmavrogi>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	25	CC:	dwmw2, jv+fedora, nmavrogi, tmraz
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	gnutls-3.5.7-3.fc25	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2017-04-07 21:12:26 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Brandon Bennett 2016-12-13 02:57:29 UTC

User-Agent:       Mozilla/5.0 (X11; Fedora; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.75 Safari/537.36
Build Identifier: 

I use certificate authentication to connect to my work VPN.  After upgrading to GNUTLS 3.5.7-1 from 3.5.6-1 I  an no longer connect with the error:


$ openconnect -k ~/.keys/client_key.pem  -c ~/.keys/client_cert.pem myvpn.example.com
POST https://myvpn.example.com/
Connected to [xxxx:xxx:c090:150::1]:443
Failed to load private key as PKCS#8: An illegal parameter was found.
Loading certificate failed. Aborting.
Failed to open HTTPS connection to myvpn.example.com
Failed to obtain WebVPN cookie


If i downgrade opentls using dnf openconnect can read my private key and everything is fine.  I can verify the key with openssl and it is fine, but I cannot seem to figure out how to do with certtool.

I use the same key/certificate with 802.1x wireless without a problem as well.







Reproducible: Always

Steps to Reproduce:
1.Upgrade to gnutls 3.5.7
2.Use my private key to connect via openssl

Actual Results:  
Failed to load private key as PKCS#8: An illegal parameter was found.


Expected Results:  
I would get a prompt for my PEM password:

 openconnect -k ~/.keys/client_key.pem  -c ~/.keys/client_cert.pem myvpn.example.com
POST https://myvpn.example.com/
Connected to [xxxx:xxx:c090:150::1]:443
Enter PEM pass phrase:
fgets (stdin): Interrupted system call

Comment 1 Nikos Mavrogiannopoulos 2016-12-13 10:42:31 UTC

*** Bug 1404192 has been marked as a duplicate of this bug. ***

Comment 2 Nikos Mavrogiannopoulos 2016-12-13 10:46:14 UTC

https://gitlab.com/gnutls/gnutls/merge_requests/185

Comment 3 Fedora Update System 2016-12-13 13:47:44 UTC

gnutls-3.5.7-2.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-a50e12625a

Comment 4 Fedora Update System 2016-12-13 14:38:09 UTC

gnutls-3.5.7-3.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2016-a50e12625a

Comment 5 Nikos Mavrogiannopoulos 2016-12-13 14:39:06 UTC

Could you please check whether the builds on koji [0] address your issue?

[0]. https://koji.fedoraproject.org/koji/buildinfo?buildID=825101

Comment 6 David Woodhouse 2016-12-13 16:11:12 UTC

It does; thanks.

Comment 7 Brandon Bennett 2016-12-13 18:31:31 UTC

This fixed my problem as well.  Thanks for the quick fix!

Comment 8 Fedora Update System 2016-12-14 02:24:24 UTC

gnutls-3.5.7-3.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-a50e12625a

Comment 9 Fedora Update System 2016-12-14 21:30:30 UTC

gnutls-3.5.7-3.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2016-12-19 07:07:43 UTC

gnutls30-3.5.7-2.el6 has been submitted as an update to Fedora EPEL 6. https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-a44b349047

Comment 11 Fedora Update System 2016-12-20 08:46:23 UTC

gnutls30-3.5.7-2.el6 has been pushed to the Fedora EPEL 6 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2016-a44b349047

Comment 12 Fedora Update System 2017-01-03 17:49:34 UTC

gnutls30-3.5.7-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.