[gnutls-help] Sporadical error message "Fatal error: Public key signature verification has failed"

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Jun 11 10:32:51 CEST 2015 

There is a test program in the gnutls tests/ directory called
x509sign-verify.c. Can you modify it so that it reproduces the issue?

On Wed, Jun 10, 2015 at 10:24 PM, Jörg Weinhardt <jw at ib-weinhardt.de> wrote:
> Hi,
>
> I am testing a HTTPS server and sometimes the SSL handshake fails and I
> get an error at the Browser.
> No I try to test the the HTTPS connection handshake only with GnuTLS and
> therefore I'm using the following command line in a loop:
>         gnutls-cli -d 5 --verbose --insecure 192.168.92.217  < nul
>
> Version is gnutls-3.4.0-w32
>
> Sometimes (about 1 of 50) I get the message
> *** Fatal error: Public key signature verification has failed
>
> It is not clear for me what GnuTLS is complaining about. The HTTPS
> Server should deliver always the same data.
>
> The debug output around the problem looks like this:
>
> |<3>| ASSERT: dn.c:315
> |<3>| ASSERT: dn.c:425
> |<3>| ASSERT: x509.c:551
> - Status: The certificate is NOT trusted. The certificate issuer is
> unknown. The name in the certificate does not match the expec
> *** PKI verification of server certificate failed...
> |<3>| ASSERT: gnutls_buffers.c:1111
> |<4>| HSK[0060bfd8]: SERVER KEY EXCHANGE (12) was received. Length
> 329[333], frag offset 0, frag length: 329, sequence: 0
> |<3>| ASSERT: gnutls_buffers.c:1346
> |<4>| HSK[0060bfd8]: Selected ECC curve SECP256R1 (2)
> |<4>| HSK[0060bfd8]: verify handshake data: using RSA-SHA256
> |<3>| ASSERT: signature.c:329
> |<3>| ASSERT: pk.c:710
> |<3>| ASSERT: gnutls_pubkey.c:1946
> |<3>| ASSERT: gnutls_sig.c:258
> |<3>| ASSERT: gnutls_sig.c:353
> |<3>| ASSERT: cert.c:2214
> |<3>| ASSERT: gnutls_kx.c:474
> |<3>| ASSERT: gnutls_handshake.c:2782
> *** Fatal error: Public key signature verification has failed.
> |<5>| REC: Sending Alert[2|80] - Internal error
>
>
> If the handshake is ok it looks like this:
>
>
> |<3>| ASSERT: dn.c:315
> |<3>| ASSERT: dn.c:425
> |<3>| ASSERT: x509.c:551
> - Status: The certificate is NOT trusted. The certificate issuer is
> unknown. The name in the certificate does not match the expec
> *** PKI verification of server certificate failed...
> |<3>| ASSERT: gnutls_buffers.c:1111
> |<4>| HSK[004dbfd8]: SERVER KEY EXCHANGE (12) was received. Length
> 329[333], frag offset 0, frag length: 329, sequence: 0
> |<3>| ASSERT: gnutls_buffers.c:1346
> |<4>| HSK[004dbfd8]: Selected ECC curve SECP256R1 (2)
> |<4>| HSK[004dbfd8]: verify handshake data: using RSA-SHA256
> |<3>| ASSERT: signature.c:329
> |<3>| ASSERT: gnutls_buffers.c:1111
> |<4>| HSK[004dbfd8]: SERVER HELLO DONE (14) was received. Length 0[0],
> frag offset 0, frag length: 1, sequence: 0
> |<3>| ASSERT: gnutls_buffers.c:1102
> |<3>| ASSERT: gnutls_buffers.c:1346
> |<3>| ASSERT: gnutls_buffers.c:1329
> |<4>| HSK[004dbfd8]: CLIENT KEY EXCHANGE was queued [70 bytes]
> |<4>| REC[004dbfd8]: Sent ChangeCipherSpec
> |<5>| REC[004dbfd8]: Initializing epoch #1
>
> I would be happy for every hint which gets me closer to the problem.
>
> regards,
> Joerg
>
>
>
>
>
> _______________________________________________
> Gnutls-help mailing list
> Gnutls-help at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-help

More information about the Gnutls-help mailing list