[gnutls-help] CRL revoked certs ignored

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Apr 20 13:11:24 CEST 2015


On Mon, Apr 20, 2015 at 1:18 PM,  <gnutls+etherape at kernelbug.org> wrote:
> Hmm i see i didn't put the last working CRL generate command there, this is what i did yesterday,
>
> certtool --generate-crl --load-ca-privkey=ca-key.pem \
>          --load-ca-certificate=ca-cert.pem \
>          --load-certificate lrc-ldap_client.gnutls.crt \
>          --outfile=crl.pem
> So lrc-ldap_client.gnutls.crt should be revoked, right?

Correct.

> * Accepted connection from IPv4 10.50.2.12 port 48559 on Mon Apr 20 13:06:31 2015
> - Description: (TLS1.2)-(ECDHE-RSA-SECP192R1)-(AES-128-GCM)
> - Session ID: 13:74:51:E3:69:B6:CB:02:07:38:A1:A8:40:42:00:70:BF:A4:98:C4:BC:D7:FE:F8:D4:7E:B0:86:A7:8F:ED:23
> - Given server name[1]: lrc-ldap
> No certificates found!
> - Ephemeral EC Diffie-Hellman parameters
>  - Using curve: SECP192R1
>  - Curve size: 192 bits
> - Version: TLS1.2
> - Key Exchange: ECDHE-RSA
> - Server Signature: RSA-SHA256
> - Cipher: AES-128-GCM
> - MAC: AEAD
> - Compression: NULL
> - Channel binding 'tls-unique': 17480355da49f20e21775f7c
> It's interesting that the server now says 'No certificates found!' i don't know if this has something to do with the revocation.
> But still i'm able to write data to the server which is received.

That message means that the client didn't send any certificates. Use
"-r" on gnutls-serv to force the client send its certificate.

regards,
Nikos



More information about the Gnutls-help mailing list