[Help-gnutls] Key usage violation in certificate

Kevin P. Fleming kpfleming at digium.com
Fri Oct 31 16:29:04 CET 2008 

Daniel Kahn Gillmor wrote:

> I can't seem to connect to your server with either openssl or gnutls,
> actually.  Can you?  
> 
> [0 dkg at squeak ~]$ openssl s_client -showcerts -verify 5 -connect origsvn.digium.com:443
> verify depth is 5
> CONNECTED(00000003)
> depth=1 /C=US/ST=Alabama/L=Huntsville/O=Digium, Inc./OU=Asterisk Development Team/CN=Digium SVN CA/emailAddress=asteriskteam at digium.com
> verify error:num=19:self signed certificate in certificate chain
> verify return:1
> depth=1 /C=US/ST=Alabama/L=Huntsville/O=Digium, Inc./OU=Asterisk Development Team/CN=Digium SVN CA/emailAddress=asteriskteam at digium.com
> verify return:1
> depth=0 /C=US/ST=Alabama/L=Huntsville/O=Digium/OU=Asterisk Development Team/CN=origsvn.digium.com/emailAddress=asteriskteam at digium.com
> verify return:1
> 28424:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1053:SSL alert number 40
> 28424:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
> [0 dkg at squeak ~]$ gnutls-cli --verbose  origsvn.digium.com --port 443
> Resolving 'origsvn.digium.com'...
> Connecting to '216.207.245.42:443'...
> - Server's trusted authorities:
>    [0]: C=US,ST=Alabama,L=Huntsville,O=Digium\, Inc.,OU=Asterisk Development Team,CN=Digium SVN CA,EMAIL=asteriskteam at digium.com
> - Successfully sent 0 certificate(s) to server.
> *** Fatal error: A TLS fatal alert has been received.
> *** Received alert [40]: Handshake failed
> *** Handshake has failed
> GNUTLS ERROR: A TLS fatal alert has been received.
> [1 dkg at squeak ~]$ 

OK, I've attached (hopefully it will make it through the list) a client
cert that will allow TLS negotiation to complete on
https://origsvn.digium.com (although the resulting connection won't be
authorized to do anything).

If the GNUTLS experts can try connecting with this as the client cert
and inform me why GNUTLS reports a key usage violation on the server
cert that would be awesome :-)


-- 
Kevin P. Fleming
Director of Software Technologies
Digium, Inc. - "The Genuine Asterisk Experience" (TM)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutlstest-cert.p12
Type: application/octet-stream
Size: 5853 bytes
Desc: not available
URL: </pipermail/attachments/20081031/f53a5f4c/attachment.obj>

More information about the Gnutls-help mailing list