Hide Forgot
Created attachment 1140055 [details] test certificates Description of problem: GnuTLS clients and servers can't communicate with OpenSSL using DSA client certificates Version-Release number of selected component (if applicable): gnutls-2.8.5-19.el6_7.x86_64 How reproducible: Always Steps to Reproduce: 1. tar xzf certificates.tar.gz 2. openssl s_server -key 1024dsa-server/key.pem -cert 1024dsa-server/cert.pem -CAfile <(cat ca/cert.pem 1024dsa-ca/cert.pem) -cipher DSS -Verify 1 3. gnutls-cli --x509cafile ca/cert.pem --x509keyfile 1024dsa-client/key.pem --x509certfile 1024dsa-client/cert.pem --protocols TLS1.1 TLS1.2 -p 4433 localhost alternatively: 2. gnutls-serv --echo -p 4433 --protocols TLS1.0 TLS1.1 TLS1.2 --x509keyfile 1024dsa-server/key.pem --x509certfile <(cat 1024dsa-server/cert.pem 1024dsa-ca/cert.pem) --x509cafile <(cat ca/cert.pem 1024dsa-ca/cert.pem) --require-cert 3. openssl s_client -CAfile ca/cert.pem -cipher DHE-DSS-AES128-SHA256 -key 1024dsa-client/key.pem -cert 1024dsa-client/cert.pem -connect localhost:4433 Actual results: From OpenSSL client: 139801902708552:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1259:SSL alert number 80 139801902708552:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184: From gnutls server: Error: Public key signature verification has failed. From OpenSSL server: 139701378676552:error:0A071003:dsa routines:DSA_do_verify:BN lib:dsa_ossl.c:425: 139701378676552:error:1408807B:SSL routines:SSL3_GET_CERT_VERIFY:bad signature:s3_srvr.c:3061: From gnutls client: *** Fatal error: A TLS fatal alert has been received. *** Received alert [51]: Decrypt error *** Handshake has failed GNUTLS ERROR: A TLS fatal alert has been received. Expected results: Connection successful Additional info: Using TLS1.1 makes the connection proceed as normal. The certificates are signed with SHA-1
Both these handshakes involve signing with DSA and other algorithm than SHA1. This is not something defined by TLS, and it seems the implementations are not interoperable on that. I do not really think we should bother with that algorithm; I'll instead prohibit DSA to be used with anything else than SHA1. <3>| HSK[0x10bf310]: verify handshake data: using DSA-SHA256 |<3>| HSK[0x133a470]: signing handshake data: using DSA-SHA256
Resolved by disabling DSA-SHA224 and DSA-256 completely on the libgcrypt backend. It seems to be broken.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2017-0574.html