[gnutls-help] Sporadical error message "Fatal error: Public key signature verification has failed"

Jörg Weinhardt jw at ib-weinhardt.de
Wed Jun 10 22:24:09 CEST 2015 

Hi,

I am testing a HTTPS server and sometimes the SSL handshake fails and I
get an error at the Browser.
No I try to test the the HTTPS connection handshake only with GnuTLS and
therefore I'm using the following command line in a loop:
	gnutls-cli -d 5 --verbose --insecure 192.168.92.217  < nul

Version is gnutls-3.4.0-w32

Sometimes (about 1 of 50) I get the message
*** Fatal error: Public key signature verification has failed

It is not clear for me what GnuTLS is complaining about. The HTTPS
Server should deliver always the same data.

The debug output around the problem looks like this:

|<3>| ASSERT: dn.c:315
|<3>| ASSERT: dn.c:425
|<3>| ASSERT: x509.c:551
- Status: The certificate is NOT trusted. The certificate issuer is
unknown. The name in the certificate does not match the expec
*** PKI verification of server certificate failed...
|<3>| ASSERT: gnutls_buffers.c:1111
|<4>| HSK[0060bfd8]: SERVER KEY EXCHANGE (12) was received. Length
329[333], frag offset 0, frag length: 329, sequence: 0
|<3>| ASSERT: gnutls_buffers.c:1346
|<4>| HSK[0060bfd8]: Selected ECC curve SECP256R1 (2)
|<4>| HSK[0060bfd8]: verify handshake data: using RSA-SHA256
|<3>| ASSERT: signature.c:329
|<3>| ASSERT: pk.c:710
|<3>| ASSERT: gnutls_pubkey.c:1946
|<3>| ASSERT: gnutls_sig.c:258
|<3>| ASSERT: gnutls_sig.c:353
|<3>| ASSERT: cert.c:2214
|<3>| ASSERT: gnutls_kx.c:474
|<3>| ASSERT: gnutls_handshake.c:2782
*** Fatal error: Public key signature verification has failed.
|<5>| REC: Sending Alert[2|80] - Internal error


If the handshake is ok it looks like this:


|<3>| ASSERT: dn.c:315
|<3>| ASSERT: dn.c:425
|<3>| ASSERT: x509.c:551
- Status: The certificate is NOT trusted. The certificate issuer is
unknown. The name in the certificate does not match the expec
*** PKI verification of server certificate failed...
|<3>| ASSERT: gnutls_buffers.c:1111
|<4>| HSK[004dbfd8]: SERVER KEY EXCHANGE (12) was received. Length
329[333], frag offset 0, frag length: 329, sequence: 0
|<3>| ASSERT: gnutls_buffers.c:1346
|<4>| HSK[004dbfd8]: Selected ECC curve SECP256R1 (2)
|<4>| HSK[004dbfd8]: verify handshake data: using RSA-SHA256
|<3>| ASSERT: signature.c:329
|<3>| ASSERT: gnutls_buffers.c:1111
|<4>| HSK[004dbfd8]: SERVER HELLO DONE (14) was received. Length 0[0],
frag offset 0, frag length: 1, sequence: 0
|<3>| ASSERT: gnutls_buffers.c:1102
|<3>| ASSERT: gnutls_buffers.c:1346
|<3>| ASSERT: gnutls_buffers.c:1329
|<4>| HSK[004dbfd8]: CLIENT KEY EXCHANGE was queued [70 bytes]
|<4>| REC[004dbfd8]: Sent ChangeCipherSpec
|<5>| REC[004dbfd8]: Initializing epoch #1

I would be happy for every hint which gets me closer to the problem.

regards,
Joerg

More information about the Gnutls-help mailing list