[gnutls-help] Gnutls with TPM "Handshake failed"

Florian Klickermann florian.klickermann at gmail.com
Thu Mar 14 12:22:13 CET 2013


Hi all, and first excuse me to be totally beginner about gnutls .I'm trying
to create certificates with the TPM and connect to a server.
I use a BeagleboardxM, TPM 1.2 with a Debian, 3.7 Kernel and gnutls-3.1.1.
I've create the following keys and certificates (pubkey, ca-cert, ca-key,
cert):

$ tpmtool --generate-rsa --bits 2048 --register --user
tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user

$ tpmtool --pubkey
"tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user"
--outfile=pubkey.pem

$ certtool --generate-privkey --load-privkey
"tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user" --outfile
ca-key.pem

$ certtool --generate-self-signed --load-privkey ca-key.pem --outfile
ca-cert.pem

$ certtool --generate-certificate --outfile cert.pem --load-privkey
"tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user"
--load-pubkey pubkey.pem --load-ca-certificate ca-cert.pem
--load-ca-privkey ca-key.pem

For a first test I create a server on the BeagleBoard and connect with the
client to local host and get the following client error:
Server:
$ gnutls-serv  --x509cafile /etc/ssl/certs/ca-cert.pem --x509keyfile
/etc/ssl/certs/ca-key.pem -p 443
Set static Diffie-Hellman parameters, consider --dhparams.
Processed 1 CA certificate(s).
HTTP Server listening on IPv4 0.0.0.0 port 443...done
HTTP Server listening on IPv6 :: port 443...done

Client:
$ gnutls-cli --x509keyfile "
tpmkey:uuid=9f59a38c-771a-41b8-86c9-c4f3095c6859;storage=user "
--x509certfile /etc/ssl/certs/cert.pem -p 443 localhost
Processed 141 CA certificate(s).
Token 'SRK' with URL 'TPM' requires user PIN
Enter PIN:
Processed 1 client X.509 certificates...
Resolving 'localhost'...
Connecting to '127.0.0.1:443'...
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed
No certificates found!
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.

I don’t know where my mistakes are.
Thanks for your time, and for moreover for those great tools .
Florian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20130314/d5802194/attachment.html>


More information about the Gnutls-help mailing list