[gnutls-help] x509 PKIs working with OpenSSL but not GnuTLS

Louis Opter kalessin at kalessin.fr
Sun Oct 19 07:33:21 CEST 2014


On Sat, Oct 11, 2014 at 12:27:22PM +0200, Nikos Mavrogiannopoulos wrote:
> On Fri, 2014-10-10 at 23:32 -0700, Louis Opter wrote:
> 
> To be honest I am confused on what are you describing here and what is
> the actual issue you are seeing. As far as I understand you have some
> certificate chain that gnutls-cli reports that the "the name in the
> certificate doesn't match". In that case you should check the CN of the
> certificate and the subject alternative name.

Thank you for your help Nikos, in the end my issues boiled down to CN
mismatches, which are being handled differently in OpenSSL and GnuTLS
(I'd be happy to hear more about that btw).

Everything ended-up being difficult to investigate because x509 is a lot
of moving parts, because I fucked-up some config in taskwarrior and I
also ran into the bug fixed by this commit at some point:

https://gitorious.org/gnutls/gnutls/commit/4a7f52373c6623d9e8775814bdb18129a26a0f81

I still have to say that everything would have been a lot easier and a
lot less confusing if the error reporting was better. Is there anything
like gnutls_strerror but for the status variable set by the
gnutls_certificate_verify_peers functions?

Thanks

-- 
Louis Opter



More information about the Gnutls-help mailing list