[gnutls-help] new EC cert: Received alert [51]: Decrypt error

Mark Oteiza mvoteiza at udel.edu
Thu Apr 10 01:45:44 CEST 2014 

Hi,

I generated a new EC client certificate to use with IRC.  I can use it with
s_client, but gnutls-cli fails

gnutls 3.2.13
openssl 1.0.1.g

Here's what I've done:

$ openssl ecparam -name secp521r1 -genkey -out key
$ ls
key
$ openssl req -nodes -newkey ec:key -x509 -days 730 -out cert
$ ls
cert  key  privkey.pem
$ cat cert privkey.pem > foo.pem

$ openssl s_client -connect chat.freenode.net:7000 -state -debug
  -no_ssl2 -ign_eof -CAfile /etc/ssl/certs/ca-certificates.crt
  -cert ./foo.pem
CONNECTED(00000003)
depth=2 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network,
OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware
verify return:1
depth=1 C = FR, O = GANDI SAS, CN = Gandi Standard SSL CA
verify return:1
depth=0 OU = Domain Control Validated, OU = Gandi Standard Wildcard SSL,
CN = *.freenode.net
verify return:1
---
Server certificate
<SNIP>
---
No client certificate CA names sent
---
SSL handshake has read 4007 bytes and written 1520 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-GCM-SHA384
<SNIP>
    Compression: 1 (zlib compression)
    Start Time: 1397085510
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
:dickson.freenode.net NOTICE * :*** Looking up your hostname...
# WORKS!

$ gnutls --x509cafile /etc/ssl/certs/ca-certificates.crt --x509certfile
  cert --x509keyfile ./key -p 7000 chat.freenode.net
Processed 167 CA certificate(s).
Processed 1 client X.509 certificates...
Resolving 'chat.freenode.net'...
Connecting to '185.30.166.38:7000'...
- Certificate type: X.509
- Got a certificate list of 2 certificates.
- Certificate[0] info:
<SNIP>
- Certificate[1] info:
<SNIP>
- Status: The certificate is trusted.
- Server did not send us any trusted authorities names.
- Successfully sent 1 certificate(s) to server.
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [51]: Decrypt error
*** Handshake has failed
GnuTLS error: A TLS fatal alert has been received.

I attached the full debug output from gnutls-cli.

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: log
URL: </pipermail/attachments/20140409/f98c0f2c/attachment-0001.ksh>
-------------- next part --------------

Mark Oteiza

More information about the Gnutls-help mailing list