Internal error returned from within gnutls_certificate_set_openpgp_key()

Nikos Mavrogiannopoulos nmav at
Fri Sep 21 18:12:24 CEST 2012

On 09/21/2012 11:37 AM, Joke de Buhr wrote:

> hi,
> i discovered the internal error seems to be related to the openpgp key size.
> if the key contains just a single signing subkey with 2048 or more bits gnutls 
> reports the internal error. a signing subkey with 1024 bits will however.
> moreover the key can contain encryption subkeys up to 4096 bits without 
> problem as long as the encryption subkey isn't marked for signing. the 
> authentication flags doesn't seem to have any effect at all.
> the problem seems to be related to the key exchange algorithm. the signature 
> flag enables DHE_RSA and ECDHE_RSA whereas the encryption flag enable RSA key 
> exchange.
> any comments on how to avoid this problem?

Sorry for the late reply. What you say about the sizes could be because
of a static buffer used in gnutls. Could you enable debugging to figure
out which place rejects the long keys?

About the signing flags, you need them in order to use DHE-RSA and
ECDHE-RSA. Those two require RSA signatures. The RSA algorithm requires
an RSA encryption key. Does this explain what you notice?


More information about the Gnutls-help mailing list