View Issue Details

IDProjectCategoryView StatusLast Update
0000841Main CAcert Websitepublic2013-01-15 14:42
Reporterjselzer Assigned ToNEOatNHNG  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Fixed in Version2011 Q3 
Summary0000841: Problems on cert login with "duplicate" serial numbers (WAS: Cannot create client certificate at https://cacert1.it-sls.de/)
Description1) Choose "Client Certificate" -> "New"
2) Activate checkbox for my email address
3) Click "Next"
4) Choose any Kesize (fails for both) and klick "create certificate request"
"Key generation in progress" windows opens.
"The challenge-response code of your certificate request did not match. Can't continue with certificaterequest." message.
Additional InformationApplication: Firefox 3.6.8 (20100722155716)
Operating System: WINNT (x86-msvc)

- Adblock Plus 1.2.1
- Add Bookmark Here ² 3.6.20100801
- BetterPrivacy 1.48.3
- Bookmark Duplicate Detector 0.7.5
    (Disabled, Incompatible)
- CookieSafe 3.0.5
- DownloadHelper 4.8
- DownThemAll! 1.1.10
- Echofon 1.9.6.4
- Extension List Dumper 1.14.8
- FEBE 6.3.3.2
- FireGPG 0.8
- FoxyProxy Standard 2.21.3
- Google Analytics Opt-out Browser Add-on 0.9.1
- HttpFox 0.8.7
- Java Console 6.0.14
- Java Console 6.0.13
- Java Console 6.0.07
- Java Quick Starter 1.0
- Microsoft .NET Framework Assistant 0.0.0
- Modify Headers 0.6.6
- NoScript 2.0.1
- Open As Webfolder 0.25
- Password Exporter 1.2
- PC Sync 2 Synchronisation Extension 1.0.0.685
    (Disabled, Incompatible)
- Perspectives 3.0.3
- SSL Blacklist 4.0.32
- SSL Blacklist Local Database 1.0.8
- User Agent Switcher 0.7.2
- WebMail Notifier 2.5.4
- Xmarks 3.8.7
- Zotero 2.0.3

Cookies and Javascript are allowed for test domain.
TagsNo tags attached.
Reviewed byNEOatNHNG
Test Instructions

Relationships

duplicate of 0000835 closedTed test.cacert.org Assurer challenge and ssl certificat 
related to 0000717 closedUli60 Main CAcert Website Certificate login does not work for certificates signed by the class 3 root 
related to 0000214 closedSourcerer Main CAcert Website Uniqueness of public keys accross different users 

Activities

Uli60

2010-08-17 22:04

updater   ~0001655

see bug https://bugs.cacert.org/view.php?id=835

Uli60

2011-03-31 00:08

updater   ~0001896

Last edited: 2011-03-31 00:32

2011-03-30, 2011-03-31
Signer deploment onto testserver connection has been finished
first test creating certs, using cert for cert login works

Notification to test the certs bugs
sent to the Software-Testers team

Sebastian

2011-03-31 15:27

reporter   ~0001897

Client Certificate creation works for me (Firefox 4.0 on Mac).
Installation of certificate in firefox and Login to secure1.it-sls.de works too. No error messages.

INOPIAE

2011-03-31 21:36

updater   ~0001898

Last edited: 2011-03-31 21:37

It works with Firefox 3.6 on Win 7 64
Create certificate class 1 ok
Create certificate class 3 ok
login class 1 ok
login class 3 ok
Chrome 10.0 on Win 7 64
Create certificate does not work
Import certificate from firefox
Login fails error:
Es kann keine sichere Verbindung zum Server hergestellt werden. Möglicherweise liegt ein Problem mit dem Server vor oder es ist ein Client-Authentifizierungszertifikat erforderlich, das Sie nicht haben.
Fehler 107 (net::ERR_SSL_PROTOCOL_ERROR): SSL-Protokollfehler

Mail points to cacert.org
You can collect your certificate for XXXXX@xxx.xx by going to the following location:

https://www.cacert.org/account.php?id=6&cert=YYYYYY

Uli60

2011-05-11 14:54

updater   ~0001956

Last edited: 2011-05-11 15:01

client cert login
opens another user account !!!!
client cert on admin user for u60
opens account: Agent Smith
thats wrong
An account I've nether created

affected client cert:
Ulrich Schroeter
serno 10:0C
Class3
1.5.2011 - 30.4.2013
E = ulrich@cacert.org
CN = Ulrich Schroeter

linked to account with email: win-test@nhng.de

edgarwahn

2011-05-12 15:06

developer   ~0001958

Well, as usual there is a quite rational solution to that issue:

$ select * from emailcerts where serial = "100c"\G

*************************** 1. row ***************************
          id: 258766
       memid: 171114
      serial: 100C
...
*************************** 2. row ***************************
          id: 258784
       memid: 170914
      serial: 100C
...

So the real question is, why the system issued double serial numbers for certs.

Welllll, one is for rootcert1 (1st) and one for rootcert2 (2nd). Possibly a bug that hits the productional system as well? Anyone who has the time to review the crt login auth code?

edgarwahn

2011-05-12 15:24

developer   ~0001959

Meep Meep Meep...

www/index.php: 149ff:

        if($id == 4 && $_SERVER['HTTP_HOST'] == $_SESSION['_config']['securehostname'])
        {
                $query = "select * from `emailcerts` where `serial`='$_SERVER[SSL_CLIENT_M_SERIAL]' and `revoked`=0 and disablelogin=0 and
                                UNIX_TIMESTAMP(`expire`) - UNIX_TIMESTAMP() > 0";
                $res = mysql_query($query);

The rootcert field of the emailcerts table is never checked at all. I'd suggest that we take the serial number of the signer of the crt that was used to log in and from that serial "guess" if we use the rootcert = 1 or rootcert = 2 namespace.

Uli60

2011-05-20 14:21

updater   ~0001968

problem relates to certs serial to account mapping

search term: "serial"

/includes/loggedin.php
  to fix
  l.44 ff
/pages/help/7.php
  text only
/scripts/DumpWeakCerts.pl
  not affected
/scripts/mail-weak-keys.php
  not affected
/scripts/scanforexponents.php
  not affected
/www/api/edu.php
  not affected
/www/cats/cats_import.php
  not affected
/www/index.php
  to fix
  l.153 ff
/www/policy/CertificationPracticeStatement.php
  text only


affected scripts:
/includes/loggedin.php
/www/index.php

2011-05-20 14:29

 

loggedin.php (5,948 bytes)

2011-05-20 14:30

 

general_func1.php (1,146 bytes)

2011-05-20 14:30

 

index.php (28,861 bytes)

Uli60

2011-05-20 14:33

updater   ~0001969

fixes in:
/includes/loggedin.php
/includes/general_func1.php
/www/index.php

alex

2011-05-24 22:21

reporter   ~0001997

Class 1 Client Certificate NN with cert login 3072 Bits:
- Creation works for me (Opera 11.11 on Linux)
- Installation of certificate in Opera works too, no error messages

Class 3 Client Certificate with name, no login 2048 Bits:
- Creation works for me (Opera 11.11 on Linux)
- Installation of certificate in Opera works too, no error messages

NEOatNHNG

2011-07-05 23:10

administrator   ~0002092

Reviewed and applied fix from Uli60 to the test server (with some changes). Needs testing and a second review.

Uli60

2011-07-06 02:22

updater   ~0002093

retesting affected client cert:
Ulrich Schroeter
serno 10:0C
Class3
1.5.2011 - 30.4.2013
E = ulrich@cacert.org
CN = Ulrich Schroeter
see https://bugs.cacert.org/view.php?id=841#c1956
now links to account with email ulrich@cacert.org

so this fix works for this account

Uli60

2011-07-06 20:23

updater   ~0002094

Last edited: 2011-07-06 20:25

View 2 revisions

prepared client certs serno for start testing:
last Class1 (testRoot) serno on testserver: 10:59
last Class3 (testSubRoot) serno on testserver: 10:58
more infos before start testing read https://wiki.cacert.org/Software/CurrentTest/bug841

INOPIAE

2011-07-12 20:37

updater   ~0002113

Last edited: 2011-07-12 21:48

View 2 revisions

I tested with new certificates 10:5E und 10:5F on different accounts with class1 and class3. They always showed the expected data.

I also tested an old certificates that went wrong before class 3 10:01 that showed wrong data. Now the right data is given.

Uli60

2011-07-13 01:41

updater   ~0002125

tests with client certs that wents wrong before the bugfix was added
revealed no more problems verified by 2 testers


NEOatNHNG

2011-07-16 13:02

administrator   ~0002143

Still needs second review

Ted

2011-07-24 22:00

administrator   ~0002195

Reviewed b5ee07271aea9e0722a7ed58e52f80b495d190d0 versus 00675c949494888ac5f3cd802de41bf6f2caf45b.

Only cosmetic things:
- Select only those columns you need insted of generally doing a "select * from". It's better for performance (a little bit) and gives an error if you have a typo in the column name.
- The function rootcertid could have been avoided by doing a join in the select request.

Nevertheless the changes are acceptable.

Uli60

2011-07-26 23:21

updater   ~0002205

NEO added patch
outsourced complete sql query

Uli60

2011-07-26 23:22

updater   ~0002206

Last edited: 2011-07-26 23:25

View 2 revisions

Seriennummer: 10:0C
Gültig von 01.05.2011 20:15:49 an 30.04.2013 20:15:49
Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert Testsever

Warning! You've attempted to log into the system with a client certificate, but the login failed due to the certificate being expired, revoked, disabled for certificate login, or simply not valid for this site. You can login using your Email/Pass Phrase to get a new certificate, by clicking on 'Normal Login' to the right of your screen.

key serial: 100C
results in user-id -> id: 258784
but this is key-id, needs addtl. mapping to user-id,
that is -> memid: 170914

Uli60

2011-07-26 23:27

updater   ~0002207

NEO new patch added

Uli60

2011-07-26 23:29

updater   ~0002208

Seriennummer: 10:0C
Gültig von 01.05.2011 20:15:49 an 30.04.2013 20:15:49
Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert [^] Testsever

now maps to correct user account
with cert-id cert=258784

NEOatNHNG

2011-07-26 23:31

administrator   ~0002209

I have extracted the whole SQL query into a library function please review and test again.

Uli60

2011-08-01 12:47

updater   ~0002231

Seriennummer: 10:0C
Gültig von 01.05.2011 20:15:49 an 30.04.2013 20:15:49
Ausgestellt von: CN=CAcert Testserver Class 3,OU=http://cacert1.it-sls.de,O=CAcert [^] Testsever

still continue maps to correct user account with cert-id cert=258784

INOPIAE

2011-08-02 21:21

updater   ~0002252

Login with serial number: 10:5E
Class1 Certificate goes to correct user
Class2 Certifictae goes to correct user
seems to be ok

egal

2011-08-30 22:31

administrator   ~0002370

Patch seems to be correct, should be installed on productive system.

NEOatNHNG

2011-09-06 15:54

administrator   ~0002409

Mail sent to critical admins

wytze

2011-09-07 10:41

developer   ~0002420

Patch applied to production system on September 7, 2011. See also:
https://lists.cacert.org/wws/arc/cacert-systemlog/2011-09/msg00005.html

Werner Dworak

2012-12-21 04:58

updater   ~0003506

More than 3 month fixed and no complaints

Issue History

Date Modified Username Field Change
2010-08-17 18:37 jselzer New Issue
2010-08-17 21:34 Uli60 Relationship added duplicate of 0000835
2010-08-17 22:04 Uli60 Note Added: 0001655
2010-08-17 22:04 Uli60 Assigned To => Andreas Baess
2010-08-17 22:04 Uli60 Status new => confirmed
2011-03-31 00:08 Uli60 Note Added: 0001896
2011-03-31 00:32 Uli60 Note Edited: 0001896
2011-03-31 15:27 Sebastian Note Added: 0001897
2011-03-31 21:36 INOPIAE Note Added: 0001898
2011-03-31 21:37 INOPIAE Note Edited: 0001898
2011-05-11 14:54 Uli60 Note Added: 0001956
2011-05-11 15:01 Uli60 Note Edited: 0001956
2011-05-12 15:06 edgarwahn Note Added: 0001958
2011-05-12 15:24 edgarwahn Note Added: 0001959
2011-05-20 14:21 Uli60 Note Added: 0001968
2011-05-20 14:29 Uli60 File Added: loggedin.php
2011-05-20 14:30 Uli60 File Added: general_func1.php
2011-05-20 14:30 Uli60 File Added: index.php
2011-05-20 14:33 Uli60 Note Added: 0001969
2011-05-24 22:21 alex Note Added: 0001997
2011-06-14 11:22 NEOatNHNG Category => cacert1.it-sls.de
2011-06-14 22:00 NEOatNHNG Assigned To Andreas Baess => Uli60
2011-06-14 22:00 NEOatNHNG Status confirmed => needs review & testing
2011-07-02 01:07 NEOatNHNG Status needs review & testing => fix available
2011-07-05 23:10 NEOatNHNG Source_changeset_attached => cacert-devel master 98220b07
2011-07-05 23:10 NEOatNHNG Source_changeset_attached => cacert-devel master b5ee0727
2011-07-05 23:10 NEOatNHNG Note Added: 0002092
2011-07-05 23:10 NEOatNHNG Status fix available => needs review & testing
2011-07-05 23:11 NEOatNHNG Project test.cacert.org => Main CAcert Website
2011-07-05 23:11 NEOatNHNG Category cacert1.it-sls.de => General
2011-07-05 23:15 NEOatNHNG Reviewed by => NEOatNHNG
2011-07-05 23:15 NEOatNHNG Category General =>
2011-07-05 23:15 NEOatNHNG Summary Cannot create client certificate at https://cacert1.it-sls.de/account.php?id=3 => Problems on cert login with "duplicate" serial numbers (WAS: Cannot create client certificate at https://cacert1.it-sls.de/)
2011-07-06 02:22 Uli60 Note Added: 0002093
2011-07-06 20:23 Uli60 Note Added: 0002094
2011-07-06 20:25 Uli60 Note Edited: 0002094 View Revisions
2011-07-12 20:37 INOPIAE Note Added: 0002113
2011-07-12 21:48 INOPIAE Note Edited: 0002113 View Revisions
2011-07-13 01:41 Uli60 Note Added: 0002125
2011-07-13 01:41 Uli60 Status needs review & testing => ready to deploy
2011-07-16 13:02 NEOatNHNG Note Added: 0002143
2011-07-16 13:02 NEOatNHNG Status ready to deploy => needs review
2011-07-24 22:00 Ted Note Added: 0002195
2011-07-24 22:00 Ted Reviewed by NEOatNHNG => Ted, NEOatNHNG
2011-07-24 22:00 Ted Assigned To Uli60 =>
2011-07-24 22:00 Ted Status needs review => ready to deploy
2011-07-26 23:05 NEOatNHNG Source_changeset_attached => cacert-devel master 60e1f760
2011-07-26 23:05 NEOatNHNG Source_changeset_attached => cacert-devel master b2c1b55f
2011-07-26 23:15 NEOatNHNG Source_changeset_attached => cacert-devel master 8a841f98
2011-07-26 23:15 NEOatNHNG Source_changeset_attached => cacert-devel master 0b3c7a86
2011-07-26 23:21 Uli60 Note Added: 0002205
2011-07-26 23:22 Uli60 Note Added: 0002206
2011-07-26 23:25 Uli60 Note Edited: 0002206 View Revisions
2011-07-26 23:27 Uli60 Note Added: 0002207
2011-07-26 23:29 Uli60 Note Added: 0002208
2011-07-26 23:30 NEOatNHNG Source_changeset_attached => cacert-devel master cebef2ca
2011-07-26 23:30 NEOatNHNG Source_changeset_attached => cacert-devel master 6887dac1
2011-07-26 23:31 NEOatNHNG Note Added: 0002209
2011-07-26 23:31 NEOatNHNG Assigned To => NEOatNHNG
2011-07-26 23:31 NEOatNHNG Status ready to deploy => needs review & testing
2011-07-26 23:31 NEOatNHNG Reviewed by Ted, NEOatNHNG => NEOatNHNG
2011-08-01 12:47 Uli60 Note Added: 0002231
2011-08-02 21:21 INOPIAE Note Added: 0002252
2011-08-02 21:48 Ted Assigned To NEOatNHNG => Ted
2011-08-02 21:48 Ted Status needs review & testing => needs review
2011-08-30 22:31 egal Note Added: 0002370
2011-08-30 23:49 Uli60 Assigned To Ted => NEOatNHNG
2011-08-30 23:49 Uli60 Status needs review => ready to deploy
2011-09-06 15:45 NEOatNHNG Source_changeset_attached => cacert-devel release 12e0f503
2011-09-06 15:54 NEOatNHNG Note Added: 0002409
2011-09-07 10:41 wytze Note Added: 0002420
2011-09-07 10:41 wytze Status ready to deploy => solved?
2011-09-07 10:41 wytze Resolution open => fixed
2011-09-17 20:30 Uli60 Relationship added related to 0000717
2012-12-20 08:02 Werner Dworak Relationship added related to 0000089
2012-12-20 08:03 Werner Dworak Relationship deleted related to 0000089
2012-12-20 18:53 Werner Dworak Relationship added related to 0000214
2012-12-21 04:58 Werner Dworak Note Added: 0003506
2012-12-21 04:58 Werner Dworak Status solved? => closed
2013-01-15 14:42 Werner Dworak Fixed in Version => 2011 Q3