[Help-gnutls] Key usage violation in certificate
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Nov 2 13:35:07 CET 2008
Kevin P. Fleming wrote:
> I'm fighting the same problem other Subversion users have been the past
> few months, with the switch to Subversion on Ubuntu being built against
> GNUTLS instead of OpenSSL, users cannot connect to our server.
>
> I've rebuilt the server's cert with the X509v3 Key Usage set to 'Digital
> Signature' and 'Key Encipherment', but that has not solved the problem.
>
> Can someone please connect to https://origsvn.digium.com and tell me why
> GNUTLS won't accept the server's cert? Thanks.
Hello,
Could you (or some of your users that have problem) please send me the
output you get with the gnutls client if you issue a similar command as
below[0]. With gnutls-cli from 2.6.x I connected normally[1].
regards,
Nikos
[0]: ./gnutls-cli origsvn.digium.com -d 2 --x509keyfile key
--x509certfile cert
(the files cert and key are attached)
[1]:
$ ./gnutls-cli origsvn.digium.com --x509keyfile key --x509certfile cert
Processed 1 client certificates...
Processed 1 client X.509 certificates...
Resolving 'origsvn.digium.com'...
Connecting to '216.207.245.42:443'...
- Ephemeral Diffie-Hellman parameters
- Using prime: 1032 bits
- Secret key: 1023 bits
- Peer's public key: 1032 bits
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
# The hostname in the certificate matches 'origsvn.digium.com'.
# valid since: Fri Oct 31 16:58:00 EET 2008
# expires at: Wed Nov 4 16:58:00 EET 2015
# fingerprint: 18:0D:03:38:59:B7:EA:86:48:84:E6:E6:98:F5:6A:D6
# Subject's DN: C=US,ST=Alabama,L=Huntsville,O=Digium,OU=Asterisk
Development Team,CN=origsvn.digium.com,EMAIL=asteriskteam at digium.com
# Issuer's DN: C=US,ST=Alabama,L=Huntsville,O=Digium\, Inc.,OU=Asterisk
Development Team,CN=Digium SVN CA,EMAIL=asteriskteam at digium.com
- Certificate[1] info:
# valid since: Sat Nov 26 01:31:47 EET 2005
# expires at: Tue Nov 24 01:31:47 EET 2015
# fingerprint: 33:1E:53:E8:4E:11:05:C9:DC:27:C3:AC:DD:FF:A9:53
# Subject's DN: C=US,ST=Alabama,L=Huntsville,O=Digium\,
Inc.,OU=Asterisk Development Team,CN=Digium SVN
CA,EMAIL=asteriskteam at digium.com
# Issuer's DN: C=US,ST=Alabama,L=Huntsville,O=Digium\, Inc.,OU=Asterisk
Development Team,CN=Digium SVN CA,EMAIL=asteriskteam at digium.com
- Peer's certificate issuer is unknown
- Peer's certificate is NOT trusted
- Version: TLS1.0
- Key Exchange: DHE-RSA
- Cipher: AES-128-CBC
- MAC: SHA1
- Compression: NULL
- Handshake was completed
- Simple Client Mode:
GET / HTTP/1.0
HTTP/1.1 404 Not Found
Date: Sun, 02 Nov 2008 12:23:55 GMT
Server: Apache
Content-Length: 267
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL / was not found on this server.</p>
<hr>
<address>Apache Server at origsvn.digium.com Port 443</address>
</body></html>
- Peer has closed the GNUTLS connection
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: key
URL: </pipermail/attachments/20081102/85a53f48/attachment.txt>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: cert
URL: </pipermail/attachments/20081102/85a53f48/attachment.asc>
More information about the Gnutls-help
mailing list