View Issue Details

IDProjectCategoryView StatusLast Update
0001149CATS.cacert.orgUser Interfacepublic2015-11-04 20:54
ReporterTed Assigned ToTed  
PrioritynormalSeverityminorReproducibilityalways
Status needs reviewResolutionopen 
Summary0001149: CATS accepts server certificates for login
DescriptionIf someone imports a server certificate into the browser it is possible to use this certificate to log in to CATS.

Though this is not a real bad problem it leads to problems when uploading the results to the main CAcert database. Since the import interface (cats_import.php) only checks the table for client certificates (EMAILCERTS) it cannot find server certificates and therefor reports an error.

From the logic behind the system CATS expects a certificate to identify a person, not a server, so the most consistent way to fix this bug is to refuse login for server certificates.
TagsNo tags attached.

Relationships

related to 0001107 new CACert CATS Manual has only one page, which is mostly empty 

Activities

Ted

2013-03-03 22:19

administrator   ~0003786

Last edited: 2013-03-03 22:19

A certificate is defined as a client certificate if it contains an "Email" field in the CN.

AFAIK all CAcert client certificates either include one of the verified email addresses or the "Single Sign On ID Information" in the Email field.

Ted

2013-03-03 23:30

administrator   ~0003787

Created branch bug-1149 on https://github.com/CAcertOrg/cats.git

Ted

2015-10-18 14:30

administrator   ~0005473

Merged the branch into testserver branch

Ted

2015-11-01 15:21

administrator   ~0005480

Tested with this procedure:

- Create key and CSR with: openssl req -newkey rsa:2048 -keyout test.key -subj "/CN=dummy.convey-ag.de" -out test.csr
- Created certificate with testserver, stored into test.crt
- Created importable PKCS12 file with: openssl pkcs12 -export -out test.p12 -inkey test.key -in test.crt -name "Test Certificate for CAcert bug-1149"

- Firefox 41.0.2 refused to import the certificate with unspecific error message

- Importing into Windows Certificate Storage:
  - open MMC.EXE and add plugin "Certificates" for current user
  - Goto "Own Certificates" and use right click -> All Tasks... -> Import
  - Import the test.p12 file
  - "dummy.convey-ag.de" certificate shows in "Own Certificates -> Certifictes"
- Open Internet Explorer for https://cats1.it-sls.de:14843
- When asked by Internet Explorer, select the imported certificate ("Test Certificate for CAcert bug-1149") for authentication
- Click "Login"

==> Error message is shown:

Your certificate does not contain an Email field, you are probably using a server certificate.
Server certificates cannot be used to log in to CATS since they do not identify a person.

==> Correct behaviour for this kind of certififcates.

Please test also with your own browser. I added the test.p12 file (password for import is "test"), just in case you don't have the time to create your own certificate...

Ted

2015-11-01 15:22

administrator  

test.p12 (3,070 bytes)

Ted

2015-11-01 15:35

administrator   ~0005481

Login works with my "usual" client certificate. Additional tests needed for other types of allowed certificates:

- "Anonymous" certificates
- Certifictes with only Single Sign On ID
- Certificate with multiple emails

INOPIAE

2015-11-03 20:36

updater   ~0005482

I tested with a new created server certificate from the test server which I imported via mmc to the windows truststore.
With Chrome I was able to connect to the cats1 but this error message is shown:
Your certificate does not contain an Email field, you are probably using a server certificate.
Server certificates cannot be used to log in to CATS since they do not identify a person.
=> ok
With a client certificate the login worked perfectly.
=>ok

=>ok

MartinGummi

2015-11-03 21:38

updater   ~0005483

Using Ted's openssl commands

- Create key and CSR
- Created certificate with testserver
- Created importable PKCS12 file
- Import to Iceweasel 41.0.2
- Open Iceweasel 41.0.2 for https://cats1.it-sls.de:14843 [^]
- When asked by Iceweasel, select the imported certificate ("Test Certificate for CAcert bug-1149") for authentication
- Click "Login"

==>Show Error
Your certificate does not contain an Email field, you are probably using a server certificate.
Server certificates cannot be used to log in to CATS since they do not identify a person.

=>OK
With a client certificate with email Address, login worked perfectly.
=>OK

OK

StefanT

2015-11-04 20:49

updater   ~0005484

-Using user paul.panter@pink.org at testsystem
-Created Server certificate for www.looney.org
-Imported certificate into user-certificate-store
-Started EDGE
-Start https://cats1.it-sls.de:14843/
-Site was displayed => OK

=> There was client certificates only listed for auth-seletion. => OK

Login with client certificate was possible without errors => OK

StefanT

2015-11-04 20:54

updater   ~0005485

-Using user paul.panter@pink.org at testsystem
-Created Server certificate for www.looney.org
-Started Firefox
-Imported certificate into firefox 42
-Start https://cats1.it-sls.de:14843/ [^]
-Site was displayed => OK

=> Your certificate does not contain an Email field, you are probably using a server certificate.
Server certificates cannot be used to log in to CATS since they do not identify a person. => OK

Login with client certificate was possible without errors => OK

Issue History

Date Modified Username Field Change
2013-03-03 22:15 Ted New Issue
2013-03-03 22:15 Ted Assigned To => Ted
2013-03-03 22:19 Ted Note Added: 0003786
2013-03-03 22:19 Ted Status new => needs work
2013-03-03 22:19 Ted Note Edited: 0003786
2013-03-03 22:20 Ted Description Updated
2013-03-03 23:30 Ted Note Added: 0003787
2013-03-03 23:31 Ted Status needs work => fix available
2013-04-06 21:48 Ted Relationship added related to 0001107
2015-10-18 14:30 Ted Note Added: 0005473
2015-10-18 14:30 Ted Status fix available => needs review & testing
2015-11-01 15:21 Ted Note Added: 0005480
2015-11-01 15:22 Ted File Added: test.p12
2015-11-01 15:35 Ted Note Added: 0005481
2015-11-03 20:36 INOPIAE Note Added: 0005482
2015-11-03 21:38 MartinGummi Note Added: 0005483
2015-11-03 21:40 MartinGummi Status needs review & testing => needs review
2015-11-04 20:49 StefanT Note Added: 0005484
2015-11-04 20:54 StefanT Note Added: 0005485