[Help-gnutls] Re: gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID

Rainer Gerhards rgerhards at gmail.com
Fri Jun 20 11:39:10 CEST 2008 

Just some more info: the certificate was generated with GnuTLS 2.3.11
on CentOS (in case that helps ;)).

Rainer

On Fri, Jun 20, 2008 at 10:40 AM, Rainer Gerhards <rgerhards at gmail.com> wrote:
> Some more info: asn1_read_value returns ASN1_ELEMENT_NOT_FOUND. The
> value in question is "pathLenConstraint", node is a non-NULL value (I
> put a printf() in _gnutls_x509_read_uint()).
>
> Rainer
>
> On Fri, Jun 20, 2008 at 10:26 AM, Rainer Gerhards <rgerhards at gmail.com> wrote:
>> I mangled the names (## in their places) because this is a cert I
>> received from a user:
>>
>> [root at rgf9dev nick]# certtool -i < cert.pem
>> X.509 Certificate Information:
>>        Version: 3
>>        Serial Number (hex): 485a73f4
>>        Issuer: C=US,O=###Host,OU=Online,L=##,ST=##,CN=######.com
>>        Validity:
>>                Not Before: Thu Jun 19 14:57:58 UTC 2008
>>                Not After: Wed Mar 16 14:58:01 UTC 2011
>>        Subject: C=US,O=######,OU=Online,L=######,ST=##,CN=######.com
>>        Subject Public Key Algorithm: RSA
>>                Modulus (bits 2048):
>>                        ac:ad:f0:eb:35:6b:9e:41:e9:6a:67:03:ed:2c:12:6e
>>                        00:ea:ae:ea:10:2a:bd:52:00:4a:2d:d3:55:77:20:b6
>>                        dd:78:97:e3:83:4d:19:f8:64:af:7d:58:e7:b3:bb:92
>>                        05:92:0e:38:9b:98:2e:55:44:74:3b:af:24:65:33:f8
>>                        42:d6:76:b5:f2:97:dc:8c:e8:b5:ae:a6:1d:17:71:62
>>                        16:cc:db:1c:78:ae:a2:53:78:7a:88:3e:b0:85:ce:4f
>>                        3b:e9:76:53:db:6f:f4:40:99:24:91:ec:b9:ab:40:76
>>                        66:de:21:3e:36:1b:7c:ff:7e:ca:0c:9f:e8:5c:52:84
>>                        3d:cb:51:41:db:30:89:c9:0c:95:f1:da:d2:d7:4f:30
>>                        73:2b:00:a5:e2:a0:da:27:84:6c:db:03:11:8c:a3:16
>>                        3c:2d:48:30:c7:a3:0a:26:ea:68:4a:c2:e8:7e:e0:ae
>>                        6a:66:c3:80:d3:38:66:8f:49:37:c8:af:01:10:aa:f0
>>                        cf:59:73:55:44:e9:99:ba:a2:9f:3c:42:91:06:02:04
>>                        6b:f8:76:da:21:31:66:77:af:64:1b:48:59:62:59:7e
>>                        28:bd:4e:99:76:6d:bf:b1:09:78:32:6e:e2:16:4b:67
>>                        fc:06:5f:86:e4:18:54:cb:01:5a:5f:74:81:b5:98:5f
>>                Exponent:
>>                        01:00:01
>>        Extensions:
>>                Basic Constraints (critical):
>>                        Certificate Authority (CA): FALSE
>>                Key Purpose (not critical):
>>                        TLS WWW Client.
>>                        TLS WWW Server.
>>                Subject Alternative Name (not critical):
>>                        DNSname: ######
>>                Subject Key Identifier (not critical):
>>                        504a788c6ac79c390474f2d4ea93178bb851bd3e
>>                Authority Key Identifier (not critical):
>>                        b8ef8b453849432cbee53238e6ec165d75b45b28
>>        Signature Algorithm: RSA-SHA
>>        Signature:
>>                57:8d:2c:14:0c:2a:2a:86:35:0d:9c:9e:b0:6e:76:0c
>>                22:6f:6e:bc:0b:db:4f:a1:c5:29:62:60:e4:03:d1:df
>>                10:b0:2f:c2:2d:f3:a0:62:cf:33:7c:cb:ba:67:53:8c
>>                8d:bb:bb:0a:6d:fe:7f:74:e4:2f:ae:2d:e4:77:f5:ad
>>                c3:77:c9:76:9a:57:fd:f1:63:b6:dc:b1:2c:fa:3f:5f
>>                96:da:a7:42:2f:36:a0:af:6e:56:1e:30:d1:e5:f3:7b
>>                64:10:22:14:44:05:7b:a2:a6:27:f0:d2:b3:47:3f:74
>>                25:81:f7:7f:91:ca:8c:7b:a0:fe:fe:89:86:6e:d9:45
>>                97:8d:f0:93:5c:0e:d2:fe:11:00:28:92:c8:e6:a3:a8
>>                60:9c:0e:b2:33:90:29:ed:b4:e8:21:73:56:9d:ad:fe
>>                c1:04:fe:23:aa:3a:39:ef:e0:39:0e:8a:91:b0:14:7e
>>                41:2b:d1:08:0f:96:a0:5f:11:8a:bf:66:92:1a:b5:12
>>                a3:19:f7:59:1f:ef:8c:59:34:72:49:97:8c:f4:79:f4
>>                e6:3d:5e:b5:b4:5c:96:8f:71:d2:0e:e0:c8:af:55:6f
>>                d6:36:ef:3f:89:98:14:38:6d:bf:2f:76:4b:d3:7b:bf
>>                20:d7:48:85:9b:76:60:45:43:be:f8:d4:05:c0:bc:24
>> Other Information:
>>        MD5 fingerprint:
>>                728189e4c0f146e4d302b6a2eb5341e9
>>        SHA-1 fingerprint:
>>                66762b9c21aaef11209125b909ea13c5c96f3b8e
>>        Public Key Id:
>>                504a788c6ac79c390474f2d4ea93178bb851bd3e
>>
>>
>> Rainer
>>
>> On Fri, Jun 20, 2008 at 9:58 AM, Nikos Mavrogiannopoulos
>> <n.mavrogiannopoulos at gmail.com> wrote:
>>> On Fri, Jun 20, 2008 at 10:06 AM, Rainer Gerhards <rgerhards at gmail.com> wrote:
>>>> I dug a bit deeper and the problem seems to manifest here:
>>>>
>>>> 5292.506957161:main queue:Reg/w0: GnuTLS handshake succeeded
>>>> 5292.512077291:main queue:Reg/w0: nsd_gtls.c:1013: gtlsChkPeerAuth: enter
>>>> 5292.514658306:main queue:Reg/w0: nsd_gtls.c:919: gtlsChkPeerCertValidity: enter
>>>> 5292.629403970:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: mpi.c:587
>>>>
>>>> 5292.671502166:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT:
>>>> gnutls_pk.c:285
>>>>
>>>> 5292.672798260:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:552
>>>>
>>>> 5292.673415581:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:642
>>>>
>>>> 5292.675380113:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:301
>>>>
>>>> 5292.741284540:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: dn.c:1212
>>>>
>>>> 5292.744965838:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:395
>>>>
>>>> 5292.751276475:main queue:Reg/w0: GnuTLS returned no specific reason
>>>> for GNUTLS_CERT_INVALID, certificate status is 2
>>>>
>>>> I used the code I just pulled from the git archive. So the assert in
>>>> mpi.c is this one here:
>>>
>>> It seems like a value cannot be parsed. What is the output of certtool
>>> in this certificate?
>>>
>>
>

More information about the Gnutls-help mailing list