[Help-gnutls] Re: gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID

Rainer Gerhards rgerhards at gmail.com
Fri Jun 20 10:26:11 CEST 2008 

I mangled the names (## in their places) because this is a cert I
received from a user:

[root at rgf9dev nick]# certtool -i < cert.pem
X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 485a73f4
	Issuer: C=US,O=###Host,OU=Online,L=##,ST=##,CN=######.com
	Validity:
		Not Before: Thu Jun 19 14:57:58 UTC 2008
		Not After: Wed Mar 16 14:58:01 UTC 2011
	Subject: C=US,O=######,OU=Online,L=######,ST=##,CN=######.com
	Subject Public Key Algorithm: RSA
		Modulus (bits 2048):
			ac:ad:f0:eb:35:6b:9e:41:e9:6a:67:03:ed:2c:12:6e
			00:ea:ae:ea:10:2a:bd:52:00:4a:2d:d3:55:77:20:b6
			dd:78:97:e3:83:4d:19:f8:64:af:7d:58:e7:b3:bb:92
			05:92:0e:38:9b:98:2e:55:44:74:3b:af:24:65:33:f8
			42:d6:76:b5:f2:97:dc:8c:e8:b5:ae:a6:1d:17:71:62
			16:cc:db:1c:78:ae:a2:53:78:7a:88:3e:b0:85:ce:4f
			3b:e9:76:53:db:6f:f4:40:99:24:91:ec:b9:ab:40:76
			66:de:21:3e:36:1b:7c:ff:7e:ca:0c:9f:e8:5c:52:84
			3d:cb:51:41:db:30:89:c9:0c:95:f1:da:d2:d7:4f:30
			73:2b:00:a5:e2:a0:da:27:84:6c:db:03:11:8c:a3:16
			3c:2d:48:30:c7:a3:0a:26:ea:68:4a:c2:e8:7e:e0:ae
			6a:66:c3:80:d3:38:66:8f:49:37:c8:af:01:10:aa:f0
			cf:59:73:55:44:e9:99:ba:a2:9f:3c:42:91:06:02:04
			6b:f8:76:da:21:31:66:77:af:64:1b:48:59:62:59:7e
			28:bd:4e:99:76:6d:bf:b1:09:78:32:6e:e2:16:4b:67
			fc:06:5f:86:e4:18:54:cb:01:5a:5f:74:81:b5:98:5f
		Exponent:
			01:00:01
	Extensions:
		Basic Constraints (critical):
			Certificate Authority (CA): FALSE
		Key Purpose (not critical):
			TLS WWW Client.
			TLS WWW Server.
		Subject Alternative Name (not critical):
			DNSname: ######
		Subject Key Identifier (not critical):
			504a788c6ac79c390474f2d4ea93178bb851bd3e
		Authority Key Identifier (not critical):
			b8ef8b453849432cbee53238e6ec165d75b45b28
	Signature Algorithm: RSA-SHA
	Signature:
		57:8d:2c:14:0c:2a:2a:86:35:0d:9c:9e:b0:6e:76:0c
		22:6f:6e:bc:0b:db:4f:a1:c5:29:62:60:e4:03:d1:df
		10:b0:2f:c2:2d:f3:a0:62:cf:33:7c:cb:ba:67:53:8c
		8d:bb:bb:0a:6d:fe:7f:74:e4:2f:ae:2d:e4:77:f5:ad
		c3:77:c9:76:9a:57:fd:f1:63:b6:dc:b1:2c:fa:3f:5f
		96:da:a7:42:2f:36:a0:af:6e:56:1e:30:d1:e5:f3:7b
		64:10:22:14:44:05:7b:a2:a6:27:f0:d2:b3:47:3f:74
		25:81:f7:7f:91:ca:8c:7b:a0:fe:fe:89:86:6e:d9:45
		97:8d:f0:93:5c:0e:d2:fe:11:00:28:92:c8:e6:a3:a8
		60:9c:0e:b2:33:90:29:ed:b4:e8:21:73:56:9d:ad:fe
		c1:04:fe:23:aa:3a:39:ef:e0:39:0e:8a:91:b0:14:7e
		41:2b:d1:08:0f:96:a0:5f:11:8a:bf:66:92:1a:b5:12
		a3:19:f7:59:1f:ef:8c:59:34:72:49:97:8c:f4:79:f4
		e6:3d:5e:b5:b4:5c:96:8f:71:d2:0e:e0:c8:af:55:6f
		d6:36:ef:3f:89:98:14:38:6d:bf:2f:76:4b:d3:7b:bf
		20:d7:48:85:9b:76:60:45:43:be:f8:d4:05:c0:bc:24
Other Information:
	MD5 fingerprint:
		728189e4c0f146e4d302b6a2eb5341e9
	SHA-1 fingerprint:
		66762b9c21aaef11209125b909ea13c5c96f3b8e
	Public Key Id:
		504a788c6ac79c390474f2d4ea93178bb851bd3e


Rainer

On Fri, Jun 20, 2008 at 9:58 AM, Nikos Mavrogiannopoulos
<n.mavrogiannopoulos at gmail.com> wrote:
> On Fri, Jun 20, 2008 at 10:06 AM, Rainer Gerhards <rgerhards at gmail.com> wrote:
>> I dug a bit deeper and the problem seems to manifest here:
>>
>> 5292.506957161:main queue:Reg/w0: GnuTLS handshake succeeded
>> 5292.512077291:main queue:Reg/w0: nsd_gtls.c:1013: gtlsChkPeerAuth: enter
>> 5292.514658306:main queue:Reg/w0: nsd_gtls.c:919: gtlsChkPeerCertValidity: enter
>> 5292.629403970:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: mpi.c:587
>>
>> 5292.671502166:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT:
>> gnutls_pk.c:285
>>
>> 5292.672798260:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:552
>>
>> 5292.673415581:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:642
>>
>> 5292.675380113:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:301
>>
>> 5292.741284540:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: dn.c:1212
>>
>> 5292.744965838:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:395
>>
>> 5292.751276475:main queue:Reg/w0: GnuTLS returned no specific reason
>> for GNUTLS_CERT_INVALID, certificate status is 2
>>
>> I used the code I just pulled from the git archive. So the assert in
>> mpi.c is this one here:
>
> It seems like a value cannot be parsed. What is the output of certtool
> in this certificate?
>

More information about the Gnutls-help mailing list