[Help-gnutls] Key usage violation in certificate

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Oct 31 01:27:45 CET 2008


On Thu 2008-10-30 18:40:26 -0400, Kevin P. Fleming wrote:

> I've rebuilt the server's cert with the X509v3 Key Usage set to 'Digital
> Signature' and 'Key Encipherment', but that has not solved the problem.
>
> Can someone please connect to https://origsvn.digium.com and tell me why
> GNUTLS won't accept the server's cert? Thanks.

I can't seem to connect to your server with either openssl or gnutls,
actually.  Can you?  

[0 dkg at squeak ~]$ openssl s_client -showcerts -verify 5 -connect origsvn.digium.com:443
verify depth is 5
CONNECTED(00000003)
depth=1 /C=US/ST=Alabama/L=Huntsville/O=Digium, Inc./OU=Asterisk Development Team/CN=Digium SVN CA/emailAddress=asteriskteam at digium.com
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 /C=US/ST=Alabama/L=Huntsville/O=Digium, Inc./OU=Asterisk Development Team/CN=Digium SVN CA/emailAddress=asteriskteam at digium.com
verify return:1
depth=0 /C=US/ST=Alabama/L=Huntsville/O=Digium/OU=Asterisk Development Team/CN=origsvn.digium.com/emailAddress=asteriskteam at digium.com
verify return:1
28424:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
28424:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
[0 dkg at squeak ~]$ gnutls-cli --verbose  origsvn.digium.com --port 443
Resolving 'origsvn.digium.com'...
Connecting to '216.207.245.42:443'...
- Server's trusted authorities:
   [0]: C=US,ST=Alabama,L=Huntsville,O=Digium\, Inc.,OU=Asterisk Development Team,CN=Digium SVN CA,EMAIL=asteriskteam at digium.com
- Successfully sent 0 certificate(s) to server.
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed
*** Handshake has failed
GNUTLS ERROR: A TLS fatal alert has been received.
[1 dkg at squeak ~]$ 

I can apparently connect to it with LibNSS-based clients (ssltap and
iceweasel), but that's it. :(

   --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </pipermail/attachments/20081030/40fb7774/attachment.pgp>


More information about the Gnutls-help mailing list