[gnutls-help] x509 PKIs working with OpenSSL but not GnuTLS

Louis Opter kalessin at kalessin.fr
Wed Oct 8 11:13:40 CEST 2014


I'm trying to setup taskd [1], a server using GnuTLS on top of a custom
task synchronization protocol, and my experience so far has been

I have three different x509 PKIs; all of them work with openssl s_client
and s_server. But two of them don't work with taskd and I can't find

He are small descriptions of the three PKIs I'm using:

- pki-sans: generated using certtool nothing fancy and containing two
  subject alternative names: one for a fqdn and one for an ip address;
- pki-no-sans: same thing as pki-sans without any subject alternative
  name entry, I'd like to use this PKI since it's not affected by a bug
  in SANs handling fixed in 3.3.6;
- pki-openvpn: a pki generated with easyrsa3 [2] and used with OpenVPN.

As far as I can understand the certs in pki-no-sans and pki-openpvn are
functionally equivalent. The only difference I can see is that my server
cert for openvpn has two more values, DirName and serial, in the
Authority Key Identifier field.

Here is what I have tried:


             |  taskd | s_client |
      taskd  |  KO-1  |    OK    |
    s_server |  KO-1  |    OK    |


             |  taskd | s_client |
      taskd  |   OK   |    OK    |
    s_server |   OK   |    OK    |


             |  taskd | s_client |
      taskd  |  KO-1  |    OK-2  |
    s_server |  KO-1  |    OK    |

KO-1: the client says the certificate has an error.
KO-2: client says ok but the server says there is an error in the

What can explain such differences? Why some PKIs aren't working with
GnuTLS but are working with openssl? Is there reference clients and
servers for gnutls like s_client or s_server?

All tests have been done with GnuTLS 3.3.8 compiled straight from git on
Linux. And the programs in src/tls/ in the taskd 1.1.0 branch from git.


[1] http://taskwarrior.org/
[2] https://github.com/OpenVPN/easy-rsa

Louis Opter

More information about the Gnutls-help mailing list