[Help-gnutls] Re: gnutls_certificate_verify_peers2() / GNUTLS_CERT_INVALID
Rainer Gerhards
rgerhards at gmail.com
Mon Jun 23 08:30:26 CEST 2008
Hi Nikos,
On Sun, Jun 22, 2008 at 12:52 PM, Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
> Rainer Gerhards wrote:
>> Some more info: asn1_read_value returns ASN1_ELEMENT_NOT_FOUND. The
>> value in question is "pathLenConstraint", node is a non-NULL value (I
>> put a printf() in _gnutls_x509_read_uint()).
>
>>>>> 5292.675380113:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:301
>>>>>
>>>>> 5292.741284540:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: dn.c:1212
>>>>>
>>>>> 5292.744965838:main queue:Reg/w0: GnuTLS log msg, level 2: ASSERT: verify.c:395
>>>>>
>>>>> 5292.751276475:main queue:Reg/w0: GnuTLS returned no specific reason
>>>>> for GNUTLS_CERT_INVALID, certificate status is 2
>
> As far as I understand here the verification correctly does not succeed
> because some DN's do not match.
Could you elaborate on this? As far as I understood (what may be
wrong) there is no inter-dependency between the DNs. Is there some
that I have not seen?
> If you still think it is a gnutls bug,
I am not even sure it is a bug. My initial question was what this may
have caused. I am still trying to track down the actual problem cause,
but the error message is so generic that I have no clue where I should
look at. Everywhere I looked so far I could not find a problem. To
make matters worse, certificates generated in some environments (e.g.
Fedora 9) seem to work, while ones generated in others (Centos) do
not.
Certificates are generated according to this guide here (maybe you can
spot an error):
http://www.rsyslog.com/doc-tls_cert_ca.html
http://www.rsyslog.com/doc-tls_cert_machine.html
> please send a way for me to reproduce this problem (a chain of
> certificates that should verify, and the way to produce them).
I hope that Nick can provide certificates he generates - in my
environments, it always works (but I can't get Nick's certificates to
work). I have seen logs of what he entered during the generation, and
it looks exactly like what I did. Also, I do not see any differences
in the certs he sent me (and they do not work for me, either).
Again, I am not saying there is a bug in GnuTLS. Most probably I am
doing something wrong. But I can not find a clue on what it may be...
Thanks again,
Rainer
> However I'd say to check if the certificate chain is correctly send etc.
>
> regards,
> Nikos
>
More information about the Gnutls-help
mailing list