Fwd: [Help-gnutls] GnuTLS 2.2.1 problem returning GNUTLS_E_CONSTRAINT_ERROR

Daniel Stenberg daniel at haxx.se
Sat Feb 16 14:25:12 CET 2008


On Sat, 16 Feb 2008, Nikos Mavrogiannopoulos wrote:

>> The culprit here for you is the -101. That's
>> gnutls_certificate_verify_peers2() returning GNUTLS_E_CONSTRAINT_ERROR.
>
> I can see two cases where this can be returned.
> 1. the verify depth of the certificate is quite high (ie the chain
> being verified is long).
> The default maximum depth is 6. Although it is possible to have such
> long chain, it is most probably
> a configuration error if the server sends more than 6 certificates.
> - this limit can be adjusted by gnutls_certificate_set_verify_limits()
>
> 2. the key bits of the certificates are longer than the maximum allowed 
> (8200). this limit can also be adjusted by the same function.

But seeing this is a live server used by mere mortals out there (it is a bank 
after all), wouldn't it perhaps be an indication that the defaults are a bit 
too restrictive? Also, both OpenSSL and Firefox (NSS) deal with it by default.

However, I tried adding this:

     gnutls_certificate_set_verify_limits(conn->ssl[sockindex].cred,
                                          20200, 18);

Is there any way for me to figure out sensible values for me to set to this 
function? I just upped them a couple of times until the function worked!

And yes, it now makes gnutls_certificate_verify_peers2() return success but 
then... verify_status still contained the GNUTLS_CERT_INVALID bit. So 
something still isn't liking this server!





More information about the Gnutls-help mailing list