[Help-gnutls] Re: Key usage violation in certificate

Sun May 31 01:05:33 CEST 2009

On Sat May 30 2009 Daniel Kahn Gillmor wrote:
> You can try this:
> 
> echo QUIT | gnutls-cli --print-cert --starttls --port 25 foo.bar.com
> 
> If that doesn't work (i'm having difficulty getting it to behave as i
> would expect right now), 

Thank you. The above doesn't work for me either:

Resolving 'foo.bar.com'...
Connecting to '64.34.161.100:25'...

- Simple Client Mode:

*** Starting TLS handshake
*** Non fatal error: Function was interrupted.
*** Fatal error: A TLS packet with unexpected length was received.
*** Handshake has failed

> and you have access to openssl, you could do:
> 
> echo QUIT | openssl s_client -starttls smtp -connect foo.bar.com:25

Yes, that worked for me, too. So when I run the certificate through
certtool, everything looks fine to me (no complaints from certtool).
The output of certtool is below. So what's wrong here?

Thanks a lot for your help,

Roland

X.509 Certificate Information:
	Version: 3
	Serial Number (hex): 05
	Issuer: C=DE,ST=Bavaria,L=Erlangen,O=Universitaet Erlangen,OU=Physik,CN=Physik CA,EMAIL=postmaster at foo.bar.com
	Validity:
		Not Before: Wed May 21 13:22:56 UTC 2008
		Not After: Fri Apr 29 13:22:56 UTC 2016
	Subject: C=DE,ST=Bavaria,L=Erlangen,O=Universitaet Erlangen,OU=Physik,CN=server.foo.bar.com,EMAIL=admins at server.foo.bar.com
	Subject Public Key Algorithm: RSA
		Modulus (bits 2048):
			a7:ff:4b:d9:75:4c:82:96:5a:16:df:88:e9:b9:23:bd
			ed:c2:b6:4b:c0:3a:d0:94:ed:77:70:2a:17:c6:65:5c
			01:c9:0b:6e:eb:7d:c2:c5:e2:e3:4d:e6:f9:fd:c4:86
			7f:13:9f:e1:fa:9f:7d:a9:12:52:14:e7:59:64:43:10
			d3:9c:d2:7a:61:15:e0:2d:2e:63:ff:7a:74:c1:e6:d8
			36:b4:bb:6e:18:78:2d:ec:ad:c5:61:56:8b:34:5d:a0
			6b:c6:ed:83:d2:8b:70:85:bf:59:5d:2c:69:59:a6:09
			fc:c4:9b:1e:7e:fa:bb:d5:cd:f1:3b:e5:ec:e9:6a:f3
			a7:6e:7d:8c:ce:55:98:b3:c3:a2:bd:b0:83:32:20:a1
			9e:2f:67:ce:bc:86:8e:8f:93:3b:b4:71:23:d5:77:ab
			d9:8f:75:c5:d7:aa:33:73:73:fe:b8:60:16:e0:56:67
			30:a7:39:8a:36:96:d3:a2:a3:b6:c8:6a:e2:2f:5c:27
			a6:4f:e1:35:5d:72:9d:8d:0d:33:8f:fd:e5:f9:cd:13
			cc:56:38:e9:ae:9b:f7:02:ce:f1:77:16:e0:ba:a0:e9
			60:95:79:b3:cd:cb:f0:46:4a:72:07:81:0f:ab:e4:66
			4f:1a:90:a8:99:e3:07:2c:c5:0b:cf:de:7a:63:70:47
		Exponent:
			01:00:01
	Extensions:
		Basic Constraints (not critical):
			Certificate Authority (CA): FALSE
		Unknown extension 2.16.840.1.113730.1.13 (not critical):
			ASCII: .!YaST Generated Server Certificate
			Hexdump: 1621596153542047656e65726174656420536572766572204365727469666963617465
		Unknown extension 2.16.840.1.113730.1.1 (not critical):
			ASCII: ...@
			Hexdump: 03020640
		Key Usage (not critical):
			Key encipherment.
		Subject Key Identifier (not critical):
			ebd32842114e32fb4a59e96e7f368844c82a0fdc
		Authority Key Identifier (not critical):
			26a9c14bf99be19e4e3a1598b18e8a28e20246af
		Subject Alternative Name (not critical):
			RFC822name: admins at server.foo.bar.com
		Unknown extension 2.5.29.18 (not critical):
			ASCII: 0#.!postmaster at foo.bar.com
			Hexdump: 30238121706f73746d61737465724070687973696b2e756e692d65726c616e67656e2e6465
	Signature Algorithm: RSA-SHA
	Signature:
		73:dd:04:eb:07:67:aa:ef:37:fe:8a:25:66:d4:26:67
		92:06:cb:81:61:c4:9d:e7:b1:76:fa:2d:12:3a:ce:79
		2c:52:cb:aa:53:58:84:35:e9:55:27:df:fb:9f:96:07
		b0:b0:cb:2a:88:c9:f0:73:6a:33:6e:c2:65:7c:71:51
		b5:f8:b5:29:41:ba:64:70:4c:95:20:33:84:f9:dc:a5
		b0:9e:d1:1e:3f:cc:7d:40:af:81:9c:93:d7:ed:8d:0f
		b4:45:5f:50:0d:c9:8e:0e:d0:d0:6c:36:af:4a:c3:f2
		b1:14:da:e3:ec:c6:13:7a:ba:92:61:23:bc:03:77:c1
		96:39:6d:24:81:8d:74:39:72:55:af:6c:19:c1:5f:00
		81:2f:54:ad:3c:6e:ca:a0:fb:7d:c6:e0:80:02:3b:38
		15:b3:55:2c:06:b4:3b:7f:7a:07:da:8f:ac:a2:44:4b
		f8:90:40:16:4f:b4:1c:fc:dc:3d:aa:41:fa:5d:47:59
		b8:df:9e:25:c0:83:b6:bf:ed:5d:2a:21:d0:7b:a6:64
		00:c3:31:a0:31:c9:d8:93:ca:9b:87:ce:8d:3b:d9:08
		05:a2:7f:9d:4a:79:7f:75:66:2a:97:33:6b:11:3a:2c
		48:7b:44:8e:61:b4:0c:29:8f:44:5b:55:4e:94:bc:38
Other Information:
	MD5 fingerprint:
		3d1adc22cc153763e422e38fb3a0f8a4
	SHA-1 fingerprint:
		a71ffdcd5b09e4901cff2160a8e8f97137cdc2fb
	Public Key Id:
		e0ac4c05064b23d6ab821b860c5c69eb6d5e5d39