[Help-gnutls] Problems with Key usage violation

Nikos Mavrogiannopoulos nmav at gnutls.org
Wed Mar 30 20:29:05 CEST 2005


On Wednesday 30 March 2005 18:19, Andreas Thienemann wrote:
> Hi,

> I'm having a problem with programs linked agains gnutls 1.0.20 (and other
> version).
> When connecting to our servers these tools fail the Handshake with the
> following message:
> #### snip ####
> ## [root at bla /tmp]# gnutls-cli
> ## ca.bawue.net
> ## Resolving 'ca.bawue.net'...
> ## Connecting to '193.7.176.6:443'...
> ## *** Fatal error: Key usage violation in certificate has been detected.
> ## *** Handshake has failed
> ## GNUTLS ERROR: Key usage violation in certificate has been detected.
> #### snip ####

> >From my understanding of x509 keys, this means that the certificate is
> used in a way which does not correspond with the allowed usage cases.
Correct. Gnutls checks the key usage X.509 certificate extension.
That is, for example, if the RSA key is marked encrypt only, you cannot use 
the DHE_RSA  algorithm that requires signing.

> However, checking the cert with the openssl command gives the following
> info, which shows that there shouldn't be any problems as the key is
> cert is defined to be used as a SSL Server.
Use the output of certtool or the -text output of openssl x509. Try
./certtool -i <server.crt

> #### snip ####
> ## [root at bla /tmp]# openssl x509 -noout -purpose -in server.crt
> ## Certificate purposes:
gnutls does not check the purpose, but rather the key usage.

> thanks,
>   andreas

-- 
Nikos Mavrogiannopoulos





More information about the Gnutls-help mailing list