View Issue Details

IDProjectCategoryView StatusLast Update
0001149CATS.cacert.orgUser Interfacepublic2024-11-24 10:08
ReporterTed Assigned ToTed  
PrioritynormalSeverityminorReproducibilityalways
Status needs reviewResolutionopen 
Summary0001149: CATS accepts server certificates for login
DescriptionIf someone imports a server certificate into the browser it is possible to use this certificate to log in to CATS.

Though this is not a real bad problem it leads to problems when uploading the results to the main CAcert database. Since the import interface (cats_import.php) only checks the table for client certificates (EMAILCERTS) it cannot find server certificates and therefor reports an error.

From the logic behind the system CATS expects a certificate to identify a person, not a server, so the most consistent way to fix this bug is to refuse login for server certificates.
TagsNo tags attached.
Attached Files
test.p12 (3,070 bytes)

Relationships

related to 0001107 new CACert CATS Manual has only one page, which is mostly empty 

Activities

Ted

2013-03-03 22:19

administrator   ~0003786

Last edited: 2013-03-03 22:19

A certificate is defined as a client certificate if it contains an "Email" field in the CN.

AFAIK all CAcert client certificates either include one of the verified email addresses or the "Single Sign On ID Information" in the Email field.

Ted

2013-03-03 23:30

administrator   ~0003787

Created branch bug-1149 on https://github.com/CAcertOrg/cats.git

Ted

2015-10-18 14:30

administrator   ~0005473

Merged the branch into testserver branch

Ted

2015-11-01 15:21

administrator   ~0005480

Tested with this procedure:

- Create key and CSR with: openssl req -newkey rsa:2048 -keyout test.key -subj "/CN=dummy.convey-ag.de" -out test.csr
- Created certificate with testserver, stored into test.crt
- Created importable PKCS12 file with: openssl pkcs12 -export -out test.p12 -inkey test.key -in test.crt -name "Test Certificate for CAcert bug-1149"

- Firefox 41.0.2 refused to import the certificate with unspecific error message

- Importing into Windows Certificate Storage:
  - open MMC.EXE and add plugin "Certificates" for current user
  - Goto "Own Certificates" and use right click -> All Tasks... -> Import
  - Import the test.p12 file
  - "dummy.convey-ag.de" certificate shows in "Own Certificates -> Certifictes"
- Open Internet Explorer for https://cats1.it-sls.de:14843
- When asked by Internet Explorer, select the imported certificate ("Test Certificate for CAcert bug-1149") for authentication
- Click "Login"

==> Error message is shown:

Your certificate does not contain an Email field, you are probably using a server certificate.
Server certificates cannot be used to log in to CATS since they do not identify a person.

==> Correct behaviour for this kind of certififcates.

Please test also with your own browser. I added the test.p12 file (password for import is "test"), just in case you don't have the time to create your own certificate...

Ted

2015-11-01 15:35

administrator   ~0005481

Login works with my "usual" client certificate. Additional tests needed for other types of allowed certificates:

- "Anonymous" certificates
- Certifictes with only Single Sign On ID
- Certificate with multiple emails

INOPIAE

2015-11-03 20:36

updater   ~0005482

I tested with a new created server certificate from the test server which I imported via mmc to the windows truststore.
With Chrome I was able to connect to the cats1 but this error message is shown:
Your certificate does not contain an Email field, you are probably using a server certificate.
Server certificates cannot be used to log in to CATS since they do not identify a person.
=> ok
With a client certificate the login worked perfectly.
=>ok

=>ok

MartinGummi

2015-11-03 21:38

updater   ~0005483

Using Ted's openssl commands

- Create key and CSR
- Created certificate with testserver
- Created importable PKCS12 file
- Import to Iceweasel 41.0.2
- Open Iceweasel 41.0.2 for https://cats1.it-sls.de:14843 [^]
- When asked by Iceweasel, select the imported certificate ("Test Certificate for CAcert bug-1149") for authentication
- Click "Login"

==>Show Error
Your certificate does not contain an Email field, you are probably using a server certificate.
Server certificates cannot be used to log in to CATS since they do not identify a person.

=>OK
With a client certificate with email Address, login worked perfectly.
=>OK

OK

StefanT

2015-11-04 20:49

updater   ~0005484

-Using user paul.panter@pink.org at testsystem
-Created Server certificate for www.looney.org
-Imported certificate into user-certificate-store
-Started EDGE
-Start https://cats1.it-sls.de:14843/
-Site was displayed => OK

=> There was client certificates only listed for auth-seletion. => OK

Login with client certificate was possible without errors => OK

StefanT

2015-11-04 20:54

updater   ~0005485

-Using user paul.panter@pink.org at testsystem
-Created Server certificate for www.looney.org
-Started Firefox
-Imported certificate into firefox 42
-Start https://cats1.it-sls.de:14843/ [^]
-Site was displayed => OK

=> Your certificate does not contain an Email field, you are probably using a server certificate.
Server certificates cannot be used to log in to CATS since they do not identify a person. => OK

Login with client certificate was possible without errors => OK

L10N

2024-11-23 14:04

reporter   ~0006284

Three people did four tests. Has the fix been implemented?

jandd

2024-11-23 15:02

administrator   ~0006286

https://github.com/CAcertOrg/cats/tree/bug-1149 has never been merged. I don't know who is responsible for the CATS code.

alkas

2024-11-23 17:11

manager   ~0006287

Tested with: EDGE: no server cert is displayed in the cert list, after click on "Login"
Tested with Firefox (has own cert repo): the cert is requested before the login page is displayed; and after selection the server cert this error is displayed on the login page: (see the attachment).
CATS-deny.gif (3,740 bytes)   
CATS-deny.gif (3,740 bytes)   

jandd

2024-11-24 10:08

administrator   ~0006288

This is an issue caused by the CAcert CA certificate structure and the way TLS client certificate authentication works.

Client certificate authentication is initiated during the TLS handshake. The server sends a list of acceptable CA certificates. Because our client and server certificates are signed by the same CA certificates/keys the client/browser can send either a client or a server certificate.

Another issue is that the server certificates issued by CAcert contain the following Extended Key Usage extension values:

X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication, Netscape Server Gated Crypto, Microsoft Server Gated Crypto

Due to these extensions the server certificates are valid client certificates too. This makes it impossible for a client to know that this might not be fit for the purpose auf authenticating a user.

In the mid/long-term we should switch to a proper CA certificate structure that supports this better:

Root CA should only sign subordinate CA (Sub CA) certificates
- separate Sub CA for personal client certificates (issued for names and email addresses)
- separate Sub CA for machine client certificates (issued for hostnames)
- separate Sub CA for server certificates (issued for hostnames)

Server applications could say that they only accept client certificates from the personal client certificate Sub CA, if the CA certificates would have this, or a similar structure.

There is no proper solution for this issue without changing the CA certificate structure. The error message in the screenshot that @alkas shared is just a workaround to help users know what is wrong.

Issue History

Date Modified Username Field Change
2013-03-03 22:15 Ted New Issue
2013-03-03 22:15 Ted Assigned To => Ted
2013-03-03 22:19 Ted Note Added: 0003786
2013-03-03 22:19 Ted Status new => needs work
2013-03-03 22:19 Ted Note Edited: 0003786
2013-03-03 22:20 Ted Description Updated
2013-03-03 23:30 Ted Note Added: 0003787
2013-03-03 23:31 Ted Status needs work => fix available
2013-04-06 21:48 Ted Relationship added related to 0001107
2015-10-18 14:30 Ted Note Added: 0005473
2015-10-18 14:30 Ted Status fix available => needs review & testing
2015-11-01 15:21 Ted Note Added: 0005480
2015-11-01 15:22 Ted File Added: test.p12
2015-11-01 15:35 Ted Note Added: 0005481
2015-11-03 20:36 INOPIAE Note Added: 0005482
2015-11-03 21:38 MartinGummi Note Added: 0005483
2015-11-03 21:40 MartinGummi Status needs review & testing => needs review
2015-11-04 20:49 StefanT Note Added: 0005484
2015-11-04 20:54 StefanT Note Added: 0005485
2024-11-23 14:04 L10N Note Added: 0006284
2024-11-23 15:02 jandd Note Added: 0006286
2024-11-23 17:11 alkas Note Added: 0006287
2024-11-23 17:11 alkas File Added: CATS-deny.gif
2024-11-24 10:08 jandd Note Added: 0006288