[sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs

Michael Rommel INVALID.NOREPLY at gnu.org
Sun Dec 5 11:05:48 CET 2010

Follow-up Comment #5, sr #107540 (project gnutls):

To comment #2:

Sorry, I may have been not exact: creation of the certificate without the
request step does work and produce a certificate, but the issue that I
reported occurs also with this certificate.

The table has been lost during reformatting in proportional font. I'll attach
a picture.

I tried to use different combinations of used ca.pem certificate to sign the
request files using both tools.

To comment #3:

At first I tried the recommended PKIX extensions defined in RFC5280 for the
pelican certificate which should be used for TLS sessions. 

If I understand the RFC correct, Key usage should be flagged as
digitalSignature, keyEncipherment or keyAgreement, as stated in
Hopefully, the related certtool template keywords are: encryption_key and

Extended Key Usage should be id-kp-serverAuth and id-kp-clientAuth. certtool
template keywords: tls_www_client and tls_www_server. The client is needed, so
that the postfix mail server can authenticate to the upstream mail relay.

I have tried including these options to no success. So therefore I have
stripped down Key Usage and Extended Key usage and use them only in the CA
certificate to avoid further complication. I configured the openssl CA config
file, so that the resulting x509 output showed only minimal differences
between the certs created by certtool and openssl ca.

If you have further questions, go ahead. I can also try out commands to
further narrow down the issue.

(file #22125)

Additional Item Attachment:

File name: Screen shot 2010-12-05 at 10.52.58 .png Size:18 KB


Reply to this item at:


  Message sent via/by Savannah

More information about the Gnutls-devel mailing list