Fatal error: Key usage violation in certificate has been detected

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Oct 23 23:09:27 CEST 2009


On 10/23/2009 01:46 PM, Goffredo Baroncelli wrote:
> Could someone help me to confirm that the problem is 
> the certificate even in this case?

here's a quick way to check with openssl (sorry i'm not using gnutls tools
-- if someone wants to show the same thing with gnutls tools i'd gladly
learn).

0 dkg at pip:~$ echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -text  | grep -i -A1 usage 
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
0 dkg at pip:~$ echo | openssl s_client -connect authsrs.alice.it:443 2>/dev/null | openssl x509 -noout -text  | grep -i -A1 usage 
            X509v3 Key Usage: 
                Key Encipherment
0 dkg at pip:~$ 

note that google's certificate allows "TLS Web Server Authentication",
but authsrs.alice.it's certificate does not.  I think that's the root
of your problem.

> And if it is the case (and I think that it IS the case), which possibles 
> workarounds exist ?

Maybe there's a GnuTLS priority string you can set to disable usage flag
checking as a workaround?  if there is, i couldn't find it here:

 http://www.gnu.org/software/gnutls/manual/html_node/Core-functions.html#gnutls_priority_set

seems like they should reall use a certificate with the right usage 
flags set, though.

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091023/34f23133/attachment.pgp>


More information about the Gnutls-devel mailing list