astubenbord
commented
10 months ago Seems like the certificate expected a passphrase, but just a guess. Maybe try to enter an arbitrary passphrase?
Open asklc opened 10 months ago
astubenbord
commented
10 months ago Seems like the certificate expected a passphrase, but just a guess. Maybe try to enter an arbitrary passphrase?
pSub
commented
9 months ago I think I can reproduce this error. I generated two pfx certificates from the same crt and key with two different passphrases (contain only [a-z-]). I am able to login successfully with the certificate with the passphrase of 95 characters. The other certificate has a passphrase of 100 characters and always reproduces this error.
I although glanced over the code, but couldn't see anything wrong about the handling of the client certificate passphrase.
asklc
commented
9 months ago Seems like the certificate expected a passphrase, but just a guess. Maybe try to enter an arbitrary passphrase?
There is no passphrase on the the key itself. Only the PKCS#12 container is passphrase protected and the app seems to unpack it just fine, as it won't let me proceed unless I enter the correct passphrase. However, when it's eventually trying to connect to my server after I've entered the user credentials, this exceptions happens.
asklc
commented
9 months ago The passphrase length likely is not an issue here, I chose a really simple (childish? 😅) one only a few characters long, consisting only of [a-z0-9].
pSub
commented
9 months ago Maybe a too short passphrase causes problems as well :wink: The exception happens for me at the same place. I'll try to look into this a bit more.
asklc
commented
9 months ago Maybe a too short passphrase causes problems as well 😉 The exception happens for me at the same place. I'll try to look into this a bit more.
Well, beside the fact that there's not much room left for a shorter passphrase to test with than "123", I'd be very suprised if the algorithm behind would have some sort of "shortness constraint" 😆 But at the same time it would not be the first time that my intuition failed me royally. In that case, however, I'd rather expect an exception message like "are you certain such a short passphrase is secure enough?" 🤣
asklc
commented
8 months ago Is this by accident already in analysis? Still not working for me and unfortunately a big usage blocker for an otherwise helpful application. It only doesn't work with the application, when the same key file is imported in Firefox (without any complaints) the communication with Paperless and nginx works flawlessly and as excpected 😐
astubenbord
commented
8 months ago I'm sorry, but no. I know it sucks but unfortunately my time is very limited at the moment and there are other much more urgent bugs to be fixed prior to this :/
asklc
commented
6 months ago I totally feel you. I will certainly find another way to go about it and will keep an eye on this in the mean time 🙂
What happened?
Paperless-ngx is running behind an nginx with client authentication enabled. When selecting the proper client certificate PFX file, the app appears to be able to decrypt the file with the provided key phrase. However, upon entering the user credentials and trying to connect, the app throws some weird TLS error claiming that some incorrect password was given somewhere.
Steps to reproduce
Log output from the app
No response
Screenshots
Paperless-ng*x Version
1.13.0
Paperless-Mobile Version
3.2.0
Device
Samsung Galaxy M31
Operating System Version
Android 12
Device Locale
german
Selected Locale
None
Additional Context
The web server receives a proper request and is able to verify the certificate chain and in turn returns a HTTP 200 OK, so protocol-wise everything looks ok. See the below server debug logs if it any. Also, certificates and keys are managed with XCA. As export option were chosen both formats, the cert and key inside an encrypted PKCS#12 file and the PKCS#12 containing the full certificate chain. Both didn't make a difference in the outcome.