View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0001149 | CATS.cacert.org | User Interface | public | 2013-03-03 22:15 | 2024-11-24 10:08 |
Reporter | Ted | Assigned To | Ted | ||
Priority | normal | Severity | minor | Reproducibility | always |
Status | needs review | Resolution | open | ||
Summary | 0001149: CATS accepts server certificates for login | ||||
Description | If someone imports a server certificate into the browser it is possible to use this certificate to log in to CATS. Though this is not a real bad problem it leads to problems when uploading the results to the main CAcert database. Since the import interface (cats_import.php) only checks the table for client certificates (EMAILCERTS) it cannot find server certificates and therefor reports an error. From the logic behind the system CATS expects a certificate to identify a person, not a server, so the most consistent way to fix this bug is to refuse login for server certificates. | ||||
Tags | No tags attached. | ||||
Attached Files | |||||
related to | 0001107 | new | CACert CATS Manual has only one page, which is mostly empty |
|
A certificate is defined as a client certificate if it contains an "Email" field in the CN. AFAIK all CAcert client certificates either include one of the verified email addresses or the "Single Sign On ID Information" in the Email field. |
|
Created branch bug-1149 on https://github.com/CAcertOrg/cats.git |
|
Merged the branch into testserver branch |
|
Tested with this procedure: - Create key and CSR with: openssl req -newkey rsa:2048 -keyout test.key -subj "/CN=dummy.convey-ag.de" -out test.csr - Created certificate with testserver, stored into test.crt - Created importable PKCS12 file with: openssl pkcs12 -export -out test.p12 -inkey test.key -in test.crt -name "Test Certificate for CAcert bug-1149" - Firefox 41.0.2 refused to import the certificate with unspecific error message - Importing into Windows Certificate Storage: - open MMC.EXE and add plugin "Certificates" for current user - Goto "Own Certificates" and use right click -> All Tasks... -> Import - Import the test.p12 file - "dummy.convey-ag.de" certificate shows in "Own Certificates -> Certifictes" - Open Internet Explorer for https://cats1.it-sls.de:14843 - When asked by Internet Explorer, select the imported certificate ("Test Certificate for CAcert bug-1149") for authentication - Click "Login" ==> Error message is shown: Your certificate does not contain an Email field, you are probably using a server certificate. Server certificates cannot be used to log in to CATS since they do not identify a person. ==> Correct behaviour for this kind of certififcates. Please test also with your own browser. I added the test.p12 file (password for import is "test"), just in case you don't have the time to create your own certificate... |
|
Login works with my "usual" client certificate. Additional tests needed for other types of allowed certificates: - "Anonymous" certificates - Certifictes with only Single Sign On ID - Certificate with multiple emails |
|
I tested with a new created server certificate from the test server which I imported via mmc to the windows truststore. With Chrome I was able to connect to the cats1 but this error message is shown: Your certificate does not contain an Email field, you are probably using a server certificate. Server certificates cannot be used to log in to CATS since they do not identify a person. => ok With a client certificate the login worked perfectly. =>ok =>ok |
|
Using Ted's openssl commands - Create key and CSR - Created certificate with testserver - Created importable PKCS12 file - Import to Iceweasel 41.0.2 - Open Iceweasel 41.0.2 for https://cats1.it-sls.de:14843 [^] - When asked by Iceweasel, select the imported certificate ("Test Certificate for CAcert bug-1149") for authentication - Click "Login" ==>Show Error Your certificate does not contain an Email field, you are probably using a server certificate. Server certificates cannot be used to log in to CATS since they do not identify a person. =>OK With a client certificate with email Address, login worked perfectly. =>OK OK |
|
-Using user paul.panter@pink.org at testsystem -Created Server certificate for www.looney.org -Imported certificate into user-certificate-store -Started EDGE -Start https://cats1.it-sls.de:14843/ -Site was displayed => OK => There was client certificates only listed for auth-seletion. => OK Login with client certificate was possible without errors => OK |
|
-Using user paul.panter@pink.org at testsystem -Created Server certificate for www.looney.org -Started Firefox -Imported certificate into firefox 42 -Start https://cats1.it-sls.de:14843/ [^] -Site was displayed => OK => Your certificate does not contain an Email field, you are probably using a server certificate. Server certificates cannot be used to log in to CATS since they do not identify a person. => OK Login with client certificate was possible without errors => OK |
|
Three people did four tests. Has the fix been implemented? |
|
https://github.com/CAcertOrg/cats/tree/bug-1149 has never been merged. I don't know who is responsible for the CATS code. |
|
Tested with: EDGE: no server cert is displayed in the cert list, after click on "Login" Tested with Firefox (has own cert repo): the cert is requested before the login page is displayed; and after selection the server cert this error is displayed on the login page: (see the attachment). |
|
This is an issue caused by the CAcert CA certificate structure and the way TLS client certificate authentication works. Client certificate authentication is initiated during the TLS handshake. The server sends a list of acceptable CA certificates. Because our client and server certificates are signed by the same CA certificates/keys the client/browser can send either a client or a server certificate. Another issue is that the server certificates issued by CAcert contain the following Extended Key Usage extension values: X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto Due to these extensions the server certificates are valid client certificates too. This makes it impossible for a client to know that this might not be fit for the purpose auf authenticating a user. In the mid/long-term we should switch to a proper CA certificate structure that supports this better: Root CA should only sign subordinate CA (Sub CA) certificates - separate Sub CA for personal client certificates (issued for names and email addresses) - separate Sub CA for machine client certificates (issued for hostnames) - separate Sub CA for server certificates (issued for hostnames) Server applications could say that they only accept client certificates from the personal client certificate Sub CA, if the CA certificates would have this, or a similar structure. There is no proper solution for this issue without changing the CA certificate structure. The error message in the screenshot that @alkas shared is just a workaround to help users know what is wrong. |
Date Modified | Username | Field | Change |
---|---|---|---|
2013-03-03 22:15 | Ted | New Issue | |
2013-03-03 22:15 | Ted | Assigned To | => Ted |
2013-03-03 22:19 | Ted | Note Added: 0003786 | |
2013-03-03 22:19 | Ted | Status | new => needs work |
2013-03-03 22:19 | Ted | Note Edited: 0003786 | |
2013-03-03 22:20 | Ted | Description Updated | |
2013-03-03 23:30 | Ted | Note Added: 0003787 | |
2013-03-03 23:31 | Ted | Status | needs work => fix available |
2013-04-06 21:48 | Ted | Relationship added | related to 0001107 |
2015-10-18 14:30 | Ted | Note Added: 0005473 | |
2015-10-18 14:30 | Ted | Status | fix available => needs review & testing |
2015-11-01 15:21 | Ted | Note Added: 0005480 | |
2015-11-01 15:22 | Ted | File Added: test.p12 | |
2015-11-01 15:35 | Ted | Note Added: 0005481 | |
2015-11-03 20:36 | INOPIAE | Note Added: 0005482 | |
2015-11-03 21:38 | MartinGummi | Note Added: 0005483 | |
2015-11-03 21:40 | MartinGummi | Status | needs review & testing => needs review |
2015-11-04 20:49 | StefanT | Note Added: 0005484 | |
2015-11-04 20:54 | StefanT | Note Added: 0005485 | |
2024-11-23 14:04 | L10N | Note Added: 0006284 | |
2024-11-23 15:02 | jandd | Note Added: 0006286 | |
2024-11-23 17:11 | alkas | Note Added: 0006287 | |
2024-11-23 17:11 | alkas | File Added: CATS-deny.gif | |
2024-11-24 10:08 | jandd | Note Added: 0006288 |