CAcert System Admins discussion list

[Andre Klärner <kandre AT cacert.org>]

Hi Michael,

On Tue 22.10.2013 04:08:55, Michael Tänzer wrote:
> On 22.10.2013 02:52, Andre Klärner wrote:
> > can someone explain to me why the certificate login on lists.cacert.org
> > works with an Android 4.3 device while the secure.cacert.org login 
> > doesn't?
> 
> There are a few significant differences I can tell from my mind (for the
> details someone will have to do a more detailed comparison by looking at
> the configurations):
> - Lists runs on Debian 7 while the critical web server is still on 6
> with all consequences (older OpenSSL version, Apache etc.)
> - The critical web server does the revocation checking by looking up the
> certificate directly in the database, therefore if the certificate was
> revoked or not marked for "Login" in the account, the web server will
> refuse the certificate. Revocation checking might however not be
> implemented correctly on the lists server, especially with the problems
> with CRL download

The certificate is 01:1F:49 signed by the Class3, unrevoked, valid til 2015
and enabled for login.

> > I tried both with the same certificate, the same browser (Chrome on
> > Android) and the same Android, just seconds one from each other, but the
> > request on secure.cacert.org fails with the usual "cannot negotiate ssl…"
> > while the login on Sympha works perfectly (actually I discovered that by 
> > in
> > a routine just clicking on the cert while following an archive link and
> > tried the cert logon on secure.cacert.org just to test it out).
> 
> Can you try to get a more exact error message? Something that indicates
> what exactly caused handshake to fail (e.g. no matching cipher suite,
> invalid server certificate, no suitable client certificate, certificate
> authentication denied). That would help a lot to narrow down where the
> error is to be found.

The error message is: "ERR_BAD_SSL_CLIENT_AUTH_CERT" which basicly mean
"certificate-based authentication failed" as written in the error's header.

I also attached a tcpdump of a session from my android against one of my
servers, that shows the same problem.

regards, Andre

-- 
Andre Klärner
prospective CAcert Organisation Assurer

CAcert needs funding to keep its services running, so if you find our
project useful please consider donating. For more information see
http://www.cacert.org/index.php?id=13

CAcert braucht Geld um seine Dienste weiterhin betreiben zu können. Wenn
Sie also unser Projekt nützlich finden würden wir uns über eine Spende
freuen. Mehr Informationen finden Sie auf
http://www.cacert.org/index.php?id=13&lang=de_DE

Attachment: ssl-trace.pcap
Description: application/vnd.tcpdump.pcap

Attachment: smime.p7s
Description: S/MIME cryptographic signature