Fwd: [Help-gnutls] GnuTLS 2.2.1 problem returning GNUTLS_E_CONSTRAINT_ERROR

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Feb 16 12:56:12 CET 2008

On Feb 16, 2008 12:47 AM, Daniel Stenberg <daniel at haxx.se> wrote:
> Hey GnuTLS hackers!
> Here's an interesting problem for you guys that Beber came up with in the
> #curl IRC channel. He's CC'ed here, please try to keep him in the loop when
> you respond to this.
> *   Trying connected
> * Connected to www.net222.caisse-epargne.fr ( port 443 (#0)
> * found 102 certificates in /etc/ssl/certs/ca-certificates.crt
> * server cert verify failed: -101
> * Closing connection #0
> curl: (35) server cert verify failed: -101
> The culprit here for you is the -101. That's
> gnutls_certificate_verify_peers2() returning GNUTLS_E_CONSTRAINT_ERROR.

I can see two cases where this can be returned.
1. the verify depth of the certificate is quite high (ie the chain
being verified is long).
The default maximum depth is 6. Although it is possible to have such
long chain, it is most probably
a configuration error if the server sends more than 6 certificates.
- this limit can be adjusted by gnutls_certificate_set_verify_limits()

2. the key bits of the certificates are longer than the maximum allowed (8200).
this limit can also be adjusted by the same function.


More information about the Gnutls-help mailing list