View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001149 | CATS.cacert.org | User Interface | public | 2013-03-03 22:15 | 2015-11-04 20:54 |
| Reporter | Ted | Assigned To | Ted | ||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | needs review | Resolution | open | ||
| Summary | 0001149: CATS accepts server certificates for login | ||||
| Description | If someone imports a server certificate into the browser it is possible to use this certificate to log in to CATS. Though this is not a real bad problem it leads to problems when uploading the results to the main CAcert database. Since the import interface (cats_import.php) only checks the table for client certificates (EMAILCERTS) it cannot find server certificates and therefor reports an error. From the logic behind the system CATS expects a certificate to identify a person, not a server, so the most consistent way to fix this bug is to refuse login for server certificates. | ||||
| Tags | No tags attached. | ||||
| Attached Files | |||||
| related to | 0001107 | new | CACert CATS Manual has only one page, which is mostly empty |
|
|
A certificate is defined as a client certificate if it contains an "Email" field in the CN. AFAIK all CAcert client certificates either include one of the verified email addresses or the "Single Sign On ID Information" in the Email field. |
|
|
Created branch bug-1149 on https://github.com/CAcertOrg/cats.git |
|
|
Merged the branch into testserver branch |
|
|
Tested with this procedure: - Create key and CSR with: openssl req -newkey rsa:2048 -keyout test.key -subj "/CN=dummy.convey-ag.de" -out test.csr - Created certificate with testserver, stored into test.crt - Created importable PKCS12 file with: openssl pkcs12 -export -out test.p12 -inkey test.key -in test.crt -name "Test Certificate for CAcert bug-1149" - Firefox 41.0.2 refused to import the certificate with unspecific error message - Importing into Windows Certificate Storage: - open MMC.EXE and add plugin "Certificates" for current user - Goto "Own Certificates" and use right click -> All Tasks... -> Import - Import the test.p12 file - "dummy.convey-ag.de" certificate shows in "Own Certificates -> Certifictes" - Open Internet Explorer for https://cats1.it-sls.de:14843 - When asked by Internet Explorer, select the imported certificate ("Test Certificate for CAcert bug-1149") for authentication - Click "Login" ==> Error message is shown: Your certificate does not contain an Email field, you are probably using a server certificate. Server certificates cannot be used to log in to CATS since they do not identify a person. ==> Correct behaviour for this kind of certififcates. Please test also with your own browser. I added the test.p12 file (password for import is "test"), just in case you don't have the time to create your own certificate... |
|
|
Login works with my "usual" client certificate. Additional tests needed for other types of allowed certificates: - "Anonymous" certificates - Certifictes with only Single Sign On ID - Certificate with multiple emails |
|
|
I tested with a new created server certificate from the test server which I imported via mmc to the windows truststore. With Chrome I was able to connect to the cats1 but this error message is shown: Your certificate does not contain an Email field, you are probably using a server certificate. Server certificates cannot be used to log in to CATS since they do not identify a person. => ok With a client certificate the login worked perfectly. =>ok =>ok |
|
|
Using Ted's openssl commands - Create key and CSR - Created certificate with testserver - Created importable PKCS12 file - Import to Iceweasel 41.0.2 - Open Iceweasel 41.0.2 for https://cats1.it-sls.de:14843 [^] - When asked by Iceweasel, select the imported certificate ("Test Certificate for CAcert bug-1149") for authentication - Click "Login" ==>Show Error Your certificate does not contain an Email field, you are probably using a server certificate. Server certificates cannot be used to log in to CATS since they do not identify a person. =>OK With a client certificate with email Address, login worked perfectly. =>OK OK |
|
|
-Using user paul.panter@pink.org at testsystem -Created Server certificate for www.looney.org -Imported certificate into user-certificate-store -Started EDGE -Start https://cats1.it-sls.de:14843/ -Site was displayed => OK => There was client certificates only listed for auth-seletion. => OK Login with client certificate was possible without errors => OK |
|
|
-Using user paul.panter@pink.org at testsystem -Created Server certificate for www.looney.org -Started Firefox -Imported certificate into firefox 42 -Start https://cats1.it-sls.de:14843/ [^] -Site was displayed => OK => Your certificate does not contain an Email field, you are probably using a server certificate. Server certificates cannot be used to log in to CATS since they do not identify a person. => OK Login with client certificate was possible without errors => OK |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2013-03-03 22:15 | Ted | New Issue | |
| 2013-03-03 22:15 | Ted | Assigned To | => Ted |
| 2013-03-03 22:19 | Ted | Note Added: 0003786 | |
| 2013-03-03 22:19 | Ted | Status | new => needs work |
| 2013-03-03 22:19 | Ted | Note Edited: 0003786 | |
| 2013-03-03 22:20 | Ted | Description Updated | |
| 2013-03-03 23:30 | Ted | Note Added: 0003787 | |
| 2013-03-03 23:31 | Ted | Status | needs work => fix available |
| 2013-04-06 21:48 | Ted | Relationship added | related to 0001107 |
| 2015-10-18 14:30 | Ted | Note Added: 0005473 | |
| 2015-10-18 14:30 | Ted | Status | fix available => needs review & testing |
| 2015-11-01 15:21 | Ted | Note Added: 0005480 | |
| 2015-11-01 15:22 | Ted | File Added: test.p12 | |
| 2015-11-01 15:35 | Ted | Note Added: 0005481 | |
| 2015-11-03 20:36 | INOPIAE | Note Added: 0005482 | |
| 2015-11-03 21:38 | MartinGummi | Note Added: 0005483 | |
| 2015-11-03 21:40 | MartinGummi | Status | needs review & testing => needs review |
| 2015-11-04 20:49 | StefanT | Note Added: 0005484 | |
| 2015-11-04 20:54 | StefanT | Note Added: 0005485 |
