[gnutls-help] x509 PKIs working with OpenSSL but not GnuTLS

Nikos Mavrogiannopoulos nmav at gnutls.org
Sat Oct 11 12:27:22 CEST 2014


On Fri, 2014-10-10 at 23:32 -0700, Louis Opter wrote:
> On Thu, 9 Oct 2014 14:56:11 +0200 Nikos Mavrogiannopoulos
> <nmav at gnutls.org> wrote:
> 
> Thanks for the answers.
> 
> > Unfortunately without mentioning the reason of failure or seeing the
> > certificate chains, no.
> 
> Using gnutls-cli and gnutls-serv I have been able to isolate the issue a
> little bit more:
[...]
>              | t_client | s_client | g_client |
>     ---------+----------+----------+----------+
>     t_client |   KO-1   |    KO-2  |    KO-3  |
>     s_server |   KO-1   |    OK    |    KO-3  |
>     g_server |   KO-1   |    OK    |    KO-3  |
> 
> KO-1: the client says the certificate has an error.
> KO-2: client says ok but the server says there is an error in the
>       certificate.
> KO-3: the client says: the name in the certificate doesn't match the
>       expected.
> t_{client,server} are taskwarrior (gnu)tls test client and server.
> g_{client,server} are gnutls-{cli,serv}.

To be honest I am confused on what are you describing here and what is
the actual issue you are seeing. As far as I understand you have some
certificate chain that gnutls-cli reports that the "the name in the
certificate doesn't match". In that case you should check the CN of the
certificate and the subject alternative name.

regards,
Nikos





More information about the Gnutls-help mailing list