View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000841 | Main CAcert Website | public | 2010-08-17 18:37 | 2013-01-15 14:42 | |
Reporter | jselzer | Assigned To | NEOatNHNG | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Fixed in Version | 2011 Q3 | ||||
Summary | 0000841: Problems on cert login with "duplicate" serial numbers (WAS: Cannot create client certificate at https://cacert1.it-sls.de/) | ||||
Description | 1) Choose "Client Certificate" -> "New" 2) Activate checkbox for my email address 3) Click "Next" 4) Choose any Kesize (fails for both) and klick "create certificate request" "Key generation in progress" windows opens. "The challenge-response code of your certificate request did not match. Can't continue with certificaterequest." message. | ||||
Additional Information | Application: Firefox 3.6.8 (20100722155716) Operating System: WINNT (x86-msvc) - Adblock Plus 1.2.1 - Add Bookmark Here ² 3.6.20100801 - BetterPrivacy 1.48.3 - Bookmark Duplicate Detector 0.7.5 (Disabled, Incompatible) - CookieSafe 3.0.5 - DownloadHelper 4.8 - DownThemAll! 1.1.10 - Echofon 1.9.6.4 - Extension List Dumper 1.14.8 - FEBE 6.3.3.2 - FireGPG 0.8 - FoxyProxy Standard 2.21.3 - Google Analytics Opt-out Browser Add-on 0.9.1 - HttpFox 0.8.7 - Java Console 6.0.14 - Java Console 6.0.13 - Java Console 6.0.07 - Java Quick Starter 1.0 - Microsoft .NET Framework Assistant 0.0.0 - Modify Headers 0.6.6 - NoScript 2.0.1 - Open As Webfolder 0.25 - Password Exporter 1.2 - PC Sync 2 Synchronisation Extension 1.0.0.685 (Disabled, Incompatible) - Perspectives 3.0.3 - SSL Blacklist 4.0.32 - SSL Blacklist Local Database 1.0.8 - User Agent Switcher 0.7.2 - WebMail Notifier 2.5.4 - Xmarks 3.8.7 - Zotero 2.0.3 Cookies and Javascript are allowed for test domain. | ||||
Tags | No tags attached. | ||||
Reviewed by | NEOatNHNG | ||||
Test Instructions | |||||
duplicate of | 0000835 | closed | Ted | test.cacert.org | Assurer challenge and ssl certificat |
related to | 0000717 | closed | Uli60 | Main CAcert Website | Certificate login does not work for certificates signed by the class 3 root |
related to | 0000214 | closed | Sourcerer | Main CAcert Website | Uniqueness of public keys accross different users |
|
see bug https://bugs.cacert.org/view.php?id=835 |
|
2011-03-30, 2011-03-31 Signer deploment onto testserver connection has been finished first test creating certs, using cert for cert login works Notification to test the certs bugs sent to the Software-Testers team |
|
Client Certificate creation works for me (Firefox 4.0 on Mac). Installation of certificate in firefox and Login to secure1.it-sls.de works too. No error messages. |
|
It works with Firefox 3.6 on Win 7 64 Create certificate class 1 ok Create certificate class 3 ok login class 1 ok login class 3 ok Chrome 10.0 on Win 7 64 Create certificate does not work Import certificate from firefox Login fails error: Es kann keine sichere Verbindung zum Server hergestellt werden. Möglicherweise liegt ein Problem mit dem Server vor oder es ist ein Client-Authentifizierungszertifikat erforderlich, das Sie nicht haben. Fehler 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL-Protokollfehler Mail points to cacert.org You can collect your certificate for XXXXX@xxx.xx by going to the following location: https://www.cacert.org/account.php?id=6&cert=YYYYYY |
|
client cert login opens another user account !!!! client cert on admin user for u60 opens account: Agent Smith thats wrong An account I've nether created affected client cert: Ulrich Schroeter serno 10:0C Class3 1.5.2011 - 30.4.2013 E = ulrich@cacert.org CN = Ulrich Schroeter linked to account with email: win-test@nhng.de |
|
Well, as usual there is a quite rational solution to that issue: $ select * from emailcerts where serial = "100c"\G *************************** 1. row *************************** id: 258766 memid: 171114 serial: 100C ... *************************** 2. row *************************** id: 258784 memid: 170914 serial: 100C ... So the real question is, why the system issued double serial numbers for certs. Welllll, one is for rootcert1 (1st) and one for rootcert2 (2nd). Possibly a bug that hits the productional system as well? Anyone who has the time to review the crt login auth code? |
|
Meep Meep Meep... www/index.php: 149ff: if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname']) { $query = "select * from `emailcerts` where `serial`='$_SERVER[SSL_CLIENT_M_SERIAL]' and `revoked`=0 and disablelogin=0 and UNIX_TIMESTAMP(`expire`) - UNIX_TIMESTAMP() > 0"; $res = mysql_query($query); The rootcert field of the emailcerts table is never checked at all. I'd suggest that we take the serial number of the signer of the crt that was used to log in and from that serial "guess" if we use the rootcert = 1 or rootcert = 2 namespace. |
|
problem relates to certs serial to account mapping search term: "serial" /includes/loggedin.php to fix l.44 ff /pages/help/7.php text only /scripts/DumpWeakCerts.pl not affected /scripts/mail-weak-keys.php not affected /scripts/scanforexponents.php not affected /www/api/edu.php not affected /www/cats/cats_import.php not affected /www/index.php to fix l.153 ff /www/policy/CertificationPracticeStatement.php text only affected scripts: /includes/loggedin.php /www/index.php |
2011-05-20 14:29
|
|
2011-05-20 14:30
|
|
2011-05-20 14:30
|
|
|
fixes in: /includes/loggedin.php /includes/general_func1.php /www/index.php |
|
Class 1 Client Certificate NN with cert login 3072 Bits: - Creation works for me (Opera 11.11 on Linux) - Installation of certificate in Opera works too, no error messages Class 3 Client Certificate with name, no login 2048 Bits: - Creation works for me (Opera 11.11 on Linux) - Installation of certificate in Opera works too, no error messages |
|
Reviewed and applied fix from Uli60 to the test server (with some changes). Needs testing and a second review. |
|
retesting affected client cert: Ulrich Schroeter serno 10:0C Class3 1.5.2011 - 30.4.2013 E = ulrich@cacert.org CN = Ulrich Schroeter see https://bugs.cacert.org/view.php?id=841#c1956 now links to account with email ulrich@cacert.org so this fix works for this account |
|
prepared client certs serno for start testing: last Class1 (testRoot) serno on testserver: 10:59 last Class3 (testSubRoot) serno on testserver: 10:58 more infos before start testing read https://wiki.cacert.org/Software/CurrentTest/bug841 |
|
I tested with new certificates 10:5E und 10:5F on different accounts with class1 and class3. They always showed the expected data. I also tested an old certificates that went wrong before class 3 10:01 that showed wrong data. Now the right data is given. |
|
tests with client certs that wents wrong before the bugfix was added revealed no more problems verified by 2 testers |
|
Still needs second review |
|
Reviewed b5ee07271aea9e0722a7ed58e52f80b495d190d0 versus 00675c949494888ac5f3cd802de41bf6f2caf45b. Only cosmetic things: - Select only those columns you need insted of generally doing a "select * from". It's better for performance (a little bit) and gives an error if you have a typo in the column name. - The function rootcertid could have been avoided by doing a join in the select request. Nevertheless the changes are acceptable. |
|
NEO added patch outsourced complete sql query |
|
Seriennummer: 10:0C Gültig von 01.05.2011 20:15:49 an 30.04.2013 20:15:49 Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever Warning! You've attempted to log into the system with a client certificate, but the login failed due to the certificate being expired, revoked, disabled for certificate login, or simply not valid for this site. You can login using your Email/Pass Phrase to get a new certificate, by clicking on 'Normal Login' to the right of your screen. key serial: 100C results in user-id -> id: 258784 but this is key-id, needs addtl. mapping to user-id, that is -> memid: 170914 |
|
NEO new patch added |
|
Seriennummer: 10:0C Gültig von 01.05.2011 20:15:49 an 30.04.2013 20:15:49 Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert [^] Testsever now maps to correct user account with cert-id cert=258784 |
|
I have extracted the whole SQL query into a library function please review and test again. |
|
Seriennummer: 10:0C Gültig von 01.05.2011 20:15:49 an 30.04.2013 20:15:49 Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert [^] Testsever still continue maps to correct user account with cert-id cert=258784 |
|
Login with serial number: 10:5E Class1 Certificate goes to correct user Class2 Certifictae goes to correct user seems to be ok |
|
Patch seems to be correct, should be installed on productive system. |
|
Mail sent to critical admins |
|
Patch applied to production system on September 7, 2011. See also: https://lists.cacert.org/wws/arc/cacert-systemlog/2011-09/msg00005.html |
|
More than 3 month fixed and no complaints |
Date Modified | Username | Field | Change |
---|---|---|---|
2010-08-17 18:37 | jselzer | New Issue | |
2010-08-17 21:34 | Uli60 | Relationship added | duplicate of 0000835 |
2010-08-17 22:04 | Uli60 | Note Added: 0001655 | |
2010-08-17 22:04 | Uli60 | Assigned To | => Andreas Baess |
2010-08-17 22:04 | Uli60 | Status | new => confirmed |
2011-03-31 00:08 | Uli60 | Note Added: 0001896 | |
2011-03-31 00:32 | Uli60 | Note Edited: 0001896 | |
2011-03-31 15:27 | Sebastian | Note Added: 0001897 | |
2011-03-31 21:36 | INOPIAE | Note Added: 0001898 | |
2011-03-31 21:37 | INOPIAE | Note Edited: 0001898 | |
2011-05-11 14:54 | Uli60 | Note Added: 0001956 | |
2011-05-11 15:01 | Uli60 | Note Edited: 0001956 | |
2011-05-12 15:06 | edgarwahn | Note Added: 0001958 | |
2011-05-12 15:24 | edgarwahn | Note Added: 0001959 | |
2011-05-20 14:21 | Uli60 | Note Added: 0001968 | |
2011-05-20 14:29 | Uli60 | File Added: loggedin.php | |
2011-05-20 14:30 | Uli60 | File Added: general_func1.php | |
2011-05-20 14:30 | Uli60 | File Added: index.php | |
2011-05-20 14:33 | Uli60 | Note Added: 0001969 | |
2011-05-24 22:21 | alex | Note Added: 0001997 | |
2011-06-14 11:22 | NEOatNHNG | Category | => cacert1.it-sls.de |
2011-06-14 22:00 | NEOatNHNG | Assigned To | Andreas Baess => Uli60 |
2011-06-14 22:00 | NEOatNHNG | Status | confirmed => needs review & testing |
2011-07-02 01:07 | NEOatNHNG | Status | needs review & testing => fix available |
2011-07-05 23:10 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 98220b07 |
2011-07-05 23:10 | NEOatNHNG | Source_changeset_attached | => cacert-devel master b5ee0727 |
2011-07-05 23:10 | NEOatNHNG | Note Added: 0002092 | |
2011-07-05 23:10 | NEOatNHNG | Status | fix available => needs review & testing |
2011-07-05 23:11 | NEOatNHNG | Project | test.cacert.org => Main CAcert Website |
2011-07-05 23:11 | NEOatNHNG | Category | cacert1.it-sls.de => General |
2011-07-05 23:15 | NEOatNHNG | Reviewed by | => NEOatNHNG |
2011-07-05 23:15 | NEOatNHNG | Category | General => |
2011-07-05 23:15 | NEOatNHNG | Summary | Cannot create client certificate at https://cacert1.it-sls.de/account.php?id=3 => Problems on cert login with "duplicate" serial numbers (WAS: Cannot create client certificate at https://cacert1.it-sls.de/) |
2011-07-06 02:22 | Uli60 | Note Added: 0002093 | |
2011-07-06 20:23 | Uli60 | Note Added: 0002094 | |
2011-07-06 20:25 | Uli60 | Note Edited: 0002094 | |
2011-07-12 20:37 | INOPIAE | Note Added: 0002113 | |
2011-07-12 21:48 | INOPIAE | Note Edited: 0002113 | |
2011-07-13 01:41 | Uli60 | Note Added: 0002125 | |
2011-07-13 01:41 | Uli60 | Status | needs review & testing => ready to deploy |
2011-07-16 13:02 | NEOatNHNG | Note Added: 0002143 | |
2011-07-16 13:02 | NEOatNHNG | Status | ready to deploy => needs review |
2011-07-24 22:00 | Ted | Note Added: 0002195 | |
2011-07-24 22:00 | Ted | Reviewed by | NEOatNHNG => Ted, NEOatNHNG |
2011-07-24 22:00 | Ted | Assigned To | Uli60 => |
2011-07-24 22:00 | Ted | Status | needs review => ready to deploy |
2011-07-26 23:05 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 60e1f760 |
2011-07-26 23:05 | NEOatNHNG | Source_changeset_attached | => cacert-devel master b2c1b55f |
2011-07-26 23:15 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 8a841f98 |
2011-07-26 23:15 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 0b3c7a86 |
2011-07-26 23:21 | Uli60 | Note Added: 0002205 | |
2011-07-26 23:22 | Uli60 | Note Added: 0002206 | |
2011-07-26 23:25 | Uli60 | Note Edited: 0002206 | |
2011-07-26 23:27 | Uli60 | Note Added: 0002207 | |
2011-07-26 23:29 | Uli60 | Note Added: 0002208 | |
2011-07-26 23:30 | NEOatNHNG | Source_changeset_attached | => cacert-devel master cebef2ca |
2011-07-26 23:30 | NEOatNHNG | Source_changeset_attached | => cacert-devel master 6887dac1 |
2011-07-26 23:31 | NEOatNHNG | Note Added: 0002209 | |
2011-07-26 23:31 | NEOatNHNG | Assigned To | => NEOatNHNG |
2011-07-26 23:31 | NEOatNHNG | Status | ready to deploy => needs review & testing |
2011-07-26 23:31 | NEOatNHNG | Reviewed by | Ted, NEOatNHNG => NEOatNHNG |
2011-08-01 12:47 | Uli60 | Note Added: 0002231 | |
2011-08-02 21:21 | INOPIAE | Note Added: 0002252 | |
2011-08-02 21:48 | Ted | Assigned To | NEOatNHNG => Ted |
2011-08-02 21:48 | Ted | Status | needs review & testing => needs review |
2011-08-30 22:31 | egal | Note Added: 0002370 | |
2011-08-30 23:49 | Uli60 | Assigned To | Ted => NEOatNHNG |
2011-08-30 23:49 | Uli60 | Status | needs review => ready to deploy |
2011-09-06 15:45 | NEOatNHNG | Source_changeset_attached | => cacert-devel release 12e0f503 |
2011-09-06 15:54 | NEOatNHNG | Note Added: 0002409 | |
2011-09-07 10:41 | wytze | Note Added: 0002420 | |
2011-09-07 10:41 | wytze | Status | ready to deploy => solved? |
2011-09-07 10:41 | wytze | Resolution | open => fixed |
2011-09-17 20:30 | Uli60 | Relationship added | related to 0000717 |
2012-12-20 08:02 | Werner Dworak | Relationship added | related to 0000089 |
2012-12-20 08:03 | Werner Dworak | Relationship deleted | related to 0000089 |
2012-12-20 18:53 | Werner Dworak | Relationship added | related to 0000214 |
2012-12-21 04:58 | Werner Dworak | Note Added: 0003506 | |
2012-12-21 04:58 | Werner Dworak | Status | solved? => closed |
2013-01-15 14:42 | Werner Dworak | Fixed in Version | => 2011 Q3 |