main: TLS init def ctx failed: -1

Fredrik Unger fred at
Fri Nov 26 14:10:00 CET 2010


Have tried to dig deeper, using gnutls-serv.

gnutls-serv --version
gnutls-serv (GnuTLS) 2.8.6

sudo gnutls-serv --debug 9 --x509cafile /etc/ssl/cacert.pem
--x509certfile  /etc/ldap/cert/cert.pem
--x509keyfile /etc/ldap/cert/key.pem

Processed 1 CA certificate(s).
|<2>| ASSERT:  <<<<<_b64.c:519
|<2>| ASSERT: privkey.c:171
|<2>| ASSERT: privkey.c:388
|<2>| ASSERT: privkey.c:415
|<2>| ASSERT: x509_b64.c:452
|<2>| Could not find '-----BEGIN PRIVATE KEY'
|<2>| ASSERT: x509_b64.c:452
|<2>| Could not find '-----BEGIN ENCRYPTED PRIVATE KEY'
|<2>| ASSERT: privkey_pkcs8.c:1099
|<2>| ASSERT: gnutls_x509.c:547
|<2>| ASSERT: gnutls_x509.c:597
Error reading '/etc/ldap/cert/cert.pem' or '/etc/ldap/cert/key.pem'
Error: Base64 unexpected header error.

sudo cat /etc/ldap/cert/key.pem
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,CA6CC40CD8CF4D0C802B925FC4EAAE91

Is the header the problem ?

Using openssl the key works :
openssl version
OpenSSL 0.9.8o 01 Jun 2010

sudo openssl s_server -cert /etc/ldap/cert/cert.pem -key 
/etc/ldap/cert/key.pem -www
Enter pass phrase for /etc/ldap/cert/key.pem:
Using default temp DH parameters
Using default temp ECDH parameters

The key was created with an old openssl version (Oct 2008 after the 
dsa-1571 problem).

Do you need more information ?
Can create a new key, but if is a gnutls bug, this report might help.

/Fredrik Unger

More information about the Gnutls-help mailing list