[gnutls-help] x509 PKIs working with OpenSSL but not GnuTLS
Louis Opter
kalessin at kalessin.fr
Sat Oct 11 08:32:19 CEST 2014
On Thu, 9 Oct 2014 14:56:11 +0200 Nikos Mavrogiannopoulos
<nmav at gnutls.org> wrote:
Thanks for the answers.
> Unfortunately without mentioning the reason of failure or seeing the
> certificate chains, no.
Using gnutls-cli and gnutls-serv I have been able to isolate the issue a
little bit more:
pki-no-sans:
| t_client | s_client | g_client |
---------+----------+----------+----------+
t_server | KO-1 | OK | OK |
s_server | KO-1 | OK | OK |
g_server | KO-1 | OK | OK |
pki-sans:
| t_client | s_client | g_client |
---------+----------+----------+----------+
t_client | OK | OK | OK |
s_server | OK | OK | OK |
g_server | OK | OK | OK |
pki-openvpn:
| t_client | s_client | g_client |
---------+----------+----------+----------+
t_client | KO-1 | KO-2 | KO-3 |
s_server | KO-1 | OK | KO-3 |
g_server | KO-1 | OK | KO-3 |
KO-1: the client says the certificate has an error.
KO-2: client says ok but the server says there is an error in the
certificate.
KO-3: the client says: the name in the certificate doesn't match the
expected.
t_{client,server} are taskwarrior (gnu)tls test client and server.
g_{client,server} are gnutls-{cli,serv}.
So, the tests with pki-no-sans points out that something seems to be
amiss in the taskwarrior client implementation and I'll follow up with
the taskwarrior devs.
However, are you guys interested into more details about my openvpn pki?
(It shouldn't be anything fancy, I generated it using easyrsa3).
Unfortunately, the error message from gnutls-cli isn't helpful to me.
Thanks
--
Louis Opter
More information about the Gnutls-help
mailing list