[Help-gnutls] Problems with Key usage violation
Andreas Thienemann
andreas at dicp.ghb.fh-furtwangen.de
Wed Mar 30 18:19:40 CEST 2005
Hi,
I'm having a problem with programs linked agains gnutls 1.0.20 (and other
version).
When connecting to our servers these tools fail the Handshake with the
following message:
#### snip ####
## [root at bla /tmp]# gnutls-cli
## ca.bawue.net
## Resolving 'ca.bawue.net'...
## Connecting to '193.7.176.6:443'...
## *** Fatal error: Key usage violation in certificate has been detected.
## *** Handshake has failed
## GNUTLS ERROR: Key usage violation in certificate has been detected.
#### snip ####
>From my understanding of x509 keys, this means that the certificate is
used in a way which does not correspond with the allowed usage cases.
However, checking the cert with the openssl command gives the following
info, which shows that there shouldn't be any problems as the key is
cert is defined to be used as a SSL Server.
#### snip ####
## [root at bla /tmp]# openssl x509 -noout -purpose -in server.crt
## Certificate purposes:
## SSL client : No
## SSL client CA : No
## SSL server : Yes
## SSL server CA : No
## Netscape SSL server : Yes
## Netscape SSL server CA : No
## S/MIME signing : No
## S/MIME signing CA : No
## S/MIME encryption : No
## S/MIME encryption CA : No
## CRL signing : No
## CRL signing CA : No
## Any Purpose : Yes
## Any Purpose CA : Yes
## OCSP helper : Yes
## OCSP helper CA : No
#### snip ####
Thus I do not see a reason why the GNUTLS_E_KEY_USAGE_VIOLATION should be
triggered.
Furthermore, openssl seems to have no problem connecting to the server as
can be seen by the following snippet.
[root at bla /tmp]# openssl s_client -CAfile /tmp/bawue-ca-bundle.crt
-connect ca.bawue.net:443
CONNECTED(00000003)
depth=2 /C=DE/L=Boeblingen/O=Bawue.Net e.V./OU=Bawue.Net CA/CN=Bawue.Net
Root CA
verify return:1
depth=1 /C=DE/L=Boeblingen/O=Bawue.Net e.V./OU=Bawue.Net CA/CN=Bawue.Net
ServerCerts CA
verify return:1
depth=0 /C=DE/ST= /L=Boeblingen/O=Bawue.Net e.V./CN=ca.bawue.net
verify return:1
---
Certificate chain
0 s:/C=DE/ST= /L=Boeblingen/O=Bawue.Net e.V./CN=ca.bawue.net
i:/C=DE/L=Boeblingen/O=Bawue.Net e.V./OU=Bawue.Net CA/CN=Bawue.Net
ServerCerts CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE4zCCBEygAwIBAgIBHDANBgkqhkiG9w0BAQUFADB1MQswCQYDVQQGEwJERTET
MBEGA1UEBxMKQm9lYmxpbmdlbjEXMBUGA1UEChMOQmF3dWUuTmV0IGUuVi4xFTAT
BgNVBAsTDEJhd3VlLk5ldCBDQTEhMB8GA1UEAxMYQmF3dWUuTmV0IFNlcnZlckNl
cnRzIENBMB4XDTA1MDMxMTE4MDM0NloXDTA3MDIwOTE4MDM0NlowXjELMAkGA1UE
BhMCREUxCjAIBgNVBAgTASAxEzARBgNVBAcTCkJvZWJsaW5nZW4xFzAVBgNVBAoT
DkJhd3VlLk5ldCBlLlYuMRUwEwYDVQQDEwxjYS5iYXd1ZS5uZXQwgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBALwzFRbWttiE8JIL2KcgyfOJAUlyTbXg/5RlGgFp
aXLQHRi4g5gK+c5iz32NgZp82kWP0tFBDagi3jSZXj0MHD1JBV3iwnNlhBKQiWFW
UR5u7XLt6ggOBZLseW1P3jiSg2XG02LLJeKAyFInjc+kITlF58a0acotn7G7zOGM
+iGjAgMBAAGjggKYMIIClDAdBgNVHQ4EFgQUoknB2TYfCyQQoNN0p5CZWoHvCKww
gZgGA1UdIwSBkDCBjYAU0hR5ci6rLzZlgGqDip3w+eBcnxShcqRwMG4xCzAJBgNV
BAYTAkRFMRMwEQYDVQQHEwpCb2VibGluZ2VuMRcwFQYDVQQKEw5CYXd1ZS5OZXQg
ZS5WLjEVMBMGA1UECxMMQmF3dWUuTmV0IENBMRowGAYDVQQDExFCYXd1ZS5OZXQg
Um9vdCBDQYIBBDBMBgNVHR8ERTBDMEGgP6A9hjtodHRwOi8vY2EuYmF3dWUubmV0
L2NnaS1iaW4vZ2V0LWNlcnQucHkvU2VydmVyQ2VydHMvY3JsLmNybDALBgNVHQ8E
BAMCBSAwKgYDVR0lBCMwIQYIKwYBBQUHAwEGCWCGSAGG+EIEAQYKKwYBBAGCNwoD
AzA8BglghkgBhvhCAQ0ELxYtVGhpcyBjZXJ0aWZpY2F0ZSBpcyB1c2VkIGZvciBT
U0wgU2VydmVyQ2VydHMuMCQGCWCGSAGG+EIBAgQXFhVodHRwczovL2NhLmJhd3Vl
Lm5ldC8wNgYJYIZIAYb4QgEEBCkWJ2NnaS1iaW4vZ2V0LWNlcnQucHkvU2VydmVy
Q2VydHMvY3JsLmNybDAzBglghkgBhvhCAQMEJhYkY2dpLWJpbi9ucy1jaGVjay1y
ZXYucHkvU2VydmVyQ2VydHM/MDEGCWCGSAGG+EIBBwQkFiJjZ2ktYmluL25zLXJl
bmV3YWwucHkvU2VydmVyQ2VydHM/MDoGCWCGSAGG+EIBCAQtFitCYXd1ZS5OZXQt
Q0EvcG9saWN5L1NlcnZlckNlcnRzLXBvbGljeS5odG1sMBEGCWCGSAGG+EIBAQQE
AwIGQDANBgkqhkiG9w0BAQUFAAOBgQBCqiKTxj2cDDF/uUSBInYsOBbF9qinktRF
zZHQAcjtfB/N0Y/Qt4+FhZoASsiSPULRuNJ6G4USZJj5J4LI3eEW0zVGj5Cvr/pc
vRrQO0VkWGilS0x8HHw+mg4gZKVETYpVCKMEjXk8iOByoAFlT/Bi0stHwVEyKgYP
ekvsmy8bDQ==
-----END CERTIFICATE-----
subject=/C=DE/ST= /L=Boeblingen/O=Bawue.Net e.V./CN=ca.bawue.net
issuer=/C=DE/L=Boeblingen/O=Bawue.Net e.V./OU=Bawue.Net CA/CN=Bawue.Net
ServerCerts CA
---
No client certificate CA names sent
---
SSL handshake has read 1819 bytes and written 340 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
DC333450AF65FFA0ABB83D591455B6535B9670365A16FF26CB6B3B878B1B6078
Session-ID-ctx:
Master-Key:
E38DC474ECD3CF343A27CF7CDFC71C9823D23CBB16B465CD4CC66628FB1C1EC68C903581C43FAACC6731E6CA5EE8BA6E
Key-Arg : None
Krb5 Principal: None
Start Time: 1112202855
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Any ideas where to look for the problem?
thanks,
andreas
More information about the Gnutls-help
mailing list