Fatal error: Key usage violation in certificate has been detected
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Oct 23 23:09:27 CEST 2009
On 10/23/2009 01:46 PM, Goffredo Baroncelli wrote:
> Could someone help me to confirm that the problem is
> the certificate even in this case?
here's a quick way to check with openssl (sorry i'm not using gnutls tools
-- if someone wants to show the same thing with gnutls tools i'd gladly
learn).
0 dkg at pip:~$ echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -text | grep -i -A1 usage
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
0 dkg at pip:~$ echo | openssl s_client -connect authsrs.alice.it:443 2>/dev/null | openssl x509 -noout -text | grep -i -A1 usage
X509v3 Key Usage:
Key Encipherment
0 dkg at pip:~$
note that google's certificate allows "TLS Web Server Authentication",
but authsrs.alice.it's certificate does not. I think that's the root
of your problem.
> And if it is the case (and I think that it IS the case), which possibles
> workarounds exist ?
Maybe there's a GnuTLS priority string you can set to disable usage flag
checking as a workaround? if there is, i couldn't find it here:
http://www.gnu.org/software/gnutls/manual/html_node/Core-functions.html#gnutls_priority_set
seems like they should reall use a certificate with the right usage
flags set, though.
hth,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 891 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20091023/34f23133/attachment.pgp>
More information about the Gnutls-devel
mailing list