[Help-gnutls] Re: gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID
Rainer Gerhards
rgerhards at gmail.com
Fri Jun 20 11:39:10 CEST 2008
Just some more info: the certificate was generated with GnuTLS 2.3.11
on CentOS (in case that helps ;)).
Rainer
On Fri, Jun 20, 2008 at 10:40 AM, Rainer Gerhards <rgerhards at gmail.com> wrote:
> Some more info: asn1_read_value returns ASN1_ELEMENT_NOT_FOUND. The
> value in question is "pathLenConstraint", node is a non-NULL value (I
> put a printf() in _gnutls_x509_read_uint()).
>
> Rainer
>
> On Fri, Jun 20, 2008 at 10:26 AM, Rainer Gerhards <rgerhards at gmail.com> wrote:
>> I mangled the names (## in their places) because this is a cert I
>> received from a user:
>>
>> [root at rgf9dev nick]# certtool -i < cert.pem
>> X.509 Certificate Information:
>> Version: 3
>> Serial Number (hex): 485a73f4
>> Issuer: C=US,O=###Host,OU=Online,L=##,ST=##,CN=######.com
>> Validity:
>> Not Before: Thu Jun 19 14:57:58 UTC 2008
>> Not After: Wed Mar 16 14:58:01 UTC 2011
>> Subject: C=US,O=######,OU=Online,L=######,ST=##,CN=######.com
>> Subject Public Key Algorithm: RSA
>> Modulus (bits 2048):
>> ac:ad:f0:eb:35:6b:9e:41:e9:6a:67:03:ed:2c:12:6e
>> 00:ea:ae:ea:10:2a:bd:52:00:4a:2d:d3:55:77:20:b6
>> dd:78:97:e3:83:4d:19:f8:64:af:7d:58:e7:b3:bb:92
>> 05:92:0e:38:9b:98:2e:55:44:74:3b:af:24:65:33:f8
>> 42:d6:76:b5:f2:97:dc:8c:e8:b5:ae:a6:1d:17:71:62
>> 16:cc:db:1c:78:ae:a2:53:78:7a:88:3e:b0:85:ce:4f
>> 3b:e9:76:53:db:6f:f4:40:99:24:91:ec:b9:ab:40:76
>> 66:de:21:3e:36:1b:7c:ff:7e:ca:0c:9f:e8:5c:52:84
>> 3d:cb:51:41:db:30:89:c9:0c:95:f1:da:d2:d7:4f:30
>> 73:2b:00:a5:e2:a0:da:27:84:6c:db:03:11:8c:a3:16
>> 3c:2d:48:30:c7:a3:0a:26:ea:68:4a:c2:e8:7e:e0:ae
>> 6a:66:c3:80:d3:38:66:8f:49:37:c8:af:01:10:aa:f0
>> cf:59:73:55:44:e9:99:ba:a2:9f:3c:42:91:06:02:04
>> 6b:f8:76:da:21:31:66:77:af:64:1b:48:59:62:59:7e
>> 28:bd:4e:99:76:6d:bf:b1:09:78:32:6e:e2:16:4b:67
>> fc:06:5f:86:e4:18:54:cb:01:5a:5f:74:81:b5:98:5f
>> Exponent:
>> 01:00:01
>> Extensions:
>> Basic Constraints (critical):
>> Certificate Authority (CA): FALSE
>> Key Purpose (not critical):
>> TLS WWW Client.
>> TLS WWW Server.
>> Subject Alternative Name (not critical):
>> DNSname: ######
>> Subject Key Identifier (not critical):
>> 504a788c6ac79c390474f2d4ea93178bb851bd3e
>> Authority Key Identifier (not critical):
>> b8ef8b453849432cbee53238e6ec165d75b45b28
>> Signature Algorithm: RSA-SHA
>> Signature:
>> 57:8d:2c:14:0c:2a:2a:86:35:0d:9c:9e:b0:6e:76:0c
>> 22:6f:6e:bc:0b:db:4f:a1:c5:29:62:60:e4:03:d1:df
>> 10:b0:2f:c2:2d:f3:a0:62:cf:33:7c:cb:ba:67:53:8c
>> 8d:bb:bb:0a:6d:fe:7f:74:e4:2f:ae:2d:e4:77:f5:ad
>> c3:77:c9:76:9a:57:fd:f1:63:b6:dc:b1:2c:fa:3f:5f
>> 96:da:a7:42:2f:36:a0:af:6e:56:1e:30:d1:e5:f3:7b
>> 64:10:22:14:44:05:7b:a2:a6:27:f0:d2:b3:47:3f:74
>> 25:81:f7:7f:91:ca:8c:7b:a0:fe:fe:89:86:6e:d9:45
>> 97:8d:f0:93:5c:0e:d2:fe:11:00:28:92:c8:e6:a3:a8
>> 60:9c:0e:b2:33:90:29:ed:b4:e8:21:73:56:9d:ad:fe
>> c1:04:fe:23:aa:3a:39:ef:e0:39:0e:8a:91:b0:14:7e
>> 41:2b:d1:08:0f:96:a0:5f:11:8a:bf:66:92:1a:b5:12
>> a3:19:f7:59:1f:ef:8c:59:34:72:49:97:8c:f4:79:f4
>> e6:3d:5e:b5:b4:5c:96:8f:71:d2:0e:e0:c8:af:55:6f
>> d6:36:ef:3f:89:98:14:38:6d:bf:2f:76:4b:d3:7b:bf
>> 20:d7:48:85:9b:76:60:45:43:be:f8:d4:05:c0:bc:24
>> Other Information:
>> MD5 fingerprint:
>> 728189e4c0f146e4d302b6a2eb5341e9
>> SHA-1 fingerprint:
>> 66762b9c21aaef11209125b909ea13c5c96f3b8e
>> Public Key Id:
>> 504a788c6ac79c390474f2d4ea93178bb851bd3e
>>
>>
>> Rainer
>>
>> On Fri, Jun 20, 2008 at 9:58 AM, Nikos Mavrogiannopoulos
>> <n.mavrogiannopoulos at gmail.com> wrote:
>>> On Fri, Jun 20, 2008 at 10:06 AM, Rainer Gerhards <rgerhards at gmail.com> wrote:
>>>> I dug a bit deeper and the problem seems to manifest here:
>>>>
>>>> 5292.506957161:main queue:Reg/w0: GnuTLS handshake succeeded
>>>> 5292.512077291:main queue:Reg/w0: nsd_gtls.c:1013: gtlsChkPeerAuth: enter
>>>> 5292.514658306:main queue:Reg/w0: nsd_gtls.c:919: gtlsChkPeerCertValidity: enter
>>>> 5292.629403970:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: mpi.c:587
>>>>
>>>> 5292.671502166:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT:
>>>> gnutls_pk.c:285
>>>>
>>>> 5292.672798260:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:552
>>>>
>>>> 5292.673415581:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:642
>>>>
>>>> 5292.675380113:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:301
>>>>
>>>> 5292.741284540:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: dn.c:1212
>>>>
>>>> 5292.744965838:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:395
>>>>
>>>> 5292.751276475:main queue:Reg/w0: GnuTLS returned no specific reason
>>>> for GNUTLS_CERT_INVALID, certificate status is 2
>>>>
>>>> I used the code I just pulled from the git archive. So the assert in
>>>> mpi.c is this one here:
>>>
>>> It seems like a value cannot be parsed. What is the output of certtool
>>> in this certificate?
>>>
>>
>
More information about the Gnutls-help
mailing list