[sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs

Michael Rommel INVALID.NOREPLY at gnu.org
Sun Dec 5 11:05:48 CET 2010


Follow-up Comment #5, sr #107540 (project gnutls):

To comment #2:

Sorry, I may have been not exact: creation of the certificate without the
request step does work and produce a certificate, but the issue that I
reported occurs also with this certificate.

The table has been lost during reformatting in proportional font. I'll attach
a picture.

I tried to use different combinations of used ca.pem certificate to sign the
request files using both tools.

To comment #3:

At first I tried the recommended PKIX extensions defined in RFC5280 for the
pelican certificate which should be used for TLS sessions. 

If I understand the RFC correct, Key usage should be flagged as
digitalSignature, keyEncipherment or keyAgreement, as stated in 4.2.1.12.
Hopefully, the related certtool template keywords are: encryption_key and
signing_key.

Extended Key Usage should be id-kp-serverAuth and id-kp-clientAuth. certtool
template keywords: tls_www_client and tls_www_server. The client is needed, so
that the postfix mail server can authenticate to the upstream mail relay.

I have tried including these options to no success. So therefore I have
stripped down Key Usage and Extended Key usage and use them only in the CA
certificate to avoid further complication. I configured the openssl CA config
file, so that the resulting x509 output showed only minimal differences
between the certs created by certtool and openssl ca.

If you have further questions, go ahead. I can also try out commands to
further narrow down the issue.


(file #22125)
    _______________________________________________________

Additional Item Attachment:

File name: Screen shot 2010-12-05 at 10.52.58 .png Size:18 KB


    _______________________________________________________

Reply to this item at:

  <http://savannah.gnu.org/support/?107540>

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/





More information about the Gnutls-devel mailing list