registry team mailing list archive

Thread
Date

[Bug 294648] Re: svn over https with client certificates broken (regression in intrepid)

To: registry@xxxxxxxxxxxxxxxxxxx
From: John Ryan <johnryan@xxxxxxxxxxxxxxx>
Date: Mon, 20 Dec 2010 14:10:48 -0000
Reply-to: Bug 294648 <294648@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I've been digging through the source trying to track down the problem I
am experiencing.  This has actually led me into the source for
libgnutls26 rather than neon but I'm posting here for completeness.
libneon-gnutls27 calls gnutls_handshake() in libgnutls26 which calls
_gnutls_handshake_client() which appears to proceed through the
following stages successfully:

Send hello.
Receive server hello.
Receive server certificate.
Receive server key exchange message.
Receive server certificate request message.
Receive server hello done.
Send client certificate.
Send client key exchange.
Send client certificate verify.

It then calls _gnutls_handshake_common() which first successfully calls
_gnutls_send_handshake_final() but falls over on
_gnutls_recv_handshake_final() where it interprets the response from the
server as a GNUTLS_ALERT packet instead of a GNUTLS_CHANGE_CIPHER_SPEC
packet.

I have to assume that it is the gnutls client misinterpreting the packet
rather than the server sending something unexpected because client
certificate authentication works when using the LD_PRELOAD workaround
and also when using Firefox.

I really want to get this working so I'll keep digging but if anyone has
any ideas or wants to discuss please let me know.

-- 
You received this bug notification because you are a member of Registry
Administrators, which is the registrant for neon.
https://bugs.launchpad.net/bugs/294648

Title:
  svn over https with client certificates broken (regression in intrepid)