[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-gnutls] Problems with Key usage violation
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
Re: [Help-gnutls] Problems with Key usage violation |
|
Date: |
Wed, 30 Mar 2005 20:29:05 +0200 |
|
User-agent: |
KMail/1.7.2 |
On Wednesday 30 March 2005 18:19, Andreas Thienemann wrote:
> Hi,
> I'm having a problem with programs linked agains gnutls 1.0.20 (and other
> version).
> When connecting to our servers these tools fail the Handshake with the
> following message:
> #### snip ####
> ## address@hidden /tmp]# gnutls-cli
> ## ca.bawue.net
> ## Resolving 'ca.bawue.net'...
> ## Connecting to '193.7.176.6:443'...
> ## *** Fatal error: Key usage violation in certificate has been detected.
> ## *** Handshake has failed
> ## GNUTLS ERROR: Key usage violation in certificate has been detected.
> #### snip ####
> >From my understanding of x509 keys, this means that the certificate is
> used in a way which does not correspond with the allowed usage cases.
Correct. Gnutls checks the key usage X.509 certificate extension.
That is, for example, if the RSA key is marked encrypt only, you cannot use
the DHE_RSA algorithm that requires signing.
> However, checking the cert with the openssl command gives the following
> info, which shows that there shouldn't be any problems as the key is
> cert is defined to be used as a SSL Server.
Use the output of certtool or the -text output of openssl x509. Try
./certtool -i <server.crt
> #### snip ####
> ## address@hidden /tmp]# openssl x509 -noout -purpose -in server.crt
> ## Certificate purposes:
gnutls does not check the purpose, but rather the key usage.
> thanks,
> andreas
--
Nikos Mavrogiannopoulos