[Help-gnutls] GnuTLS 2.2.1 problem returning GNUTLS_E_CONSTRAINT_ERROR
daniel at haxx.se
Fri Feb 15 23:47:08 CET 2008
Hey GnuTLS hackers!
Here's an interesting problem for you guys that Beber came up with in the
#curl IRC channel. He's CC'ed here, please try to keep him in the loop when
you respond to this.
#1 - build a somewhat recent curl with GnuTLS support (curl 7.17.1 and 7.18.0
both work, presumably others too). GnuTLS 2.0.4 and 2.2.1 were tested
and both showed this problem. The same curl versions built against
OpenSSL instead work fine.
#2 - run this command:
curl https://www.net222.caisse-epargne.fr -v
This assumes you use a default cacert bundle, but I used the one Debian
provides in /etc/ssl/certs/ca-certificates.crt with an extra option like:
--cacert /etc/ssl/certs/ca-certificates.crt. Or, thanks to a flaw in
these curl versions, use -k to skip the server cert verification - but it
will still try to extract the server cert which is what fails.
#3 - the output from curl then becomes:
* About to connect() to www.net222.caisse-epargne.fr port 443 (#0)
* Trying 18.104.22.168... connected
* Connected to www.net222.caisse-epargne.fr (22.214.171.124) port 443 (#0)
* found 102 certificates in /etc/ssl/certs/ca-certificates.crt
* server cert verify failed: -101
* Closing connection #0
curl: (35) server cert verify failed: -101
The culprit here for you is the -101. That's
gnutls_certificate_verify_peers2() returning GNUTLS_E_CONSTRAINT_ERROR.
More information about the Gnutls-help