[Help-gnutls] GnuTLS 2.2.1 problem returning GNUTLS_E_CONSTRAINT_ERROR

[Daniel Stenberg]

Hey GnuTLS hackers!

Here's an interesting problem for you guys that Beber came up with in the 
#curl IRC channel. He's CC'ed here, please try to keep him in the loop when 
you respond to this.

#1 - build a somewhat recent curl with GnuTLS support (curl 7.17.1 and 7.18.0
      both work, presumably others too). GnuTLS 2.0.4 and 2.2.1 were tested
      and both showed this problem. The same curl versions built against
      OpenSSL instead work fine.

#2 - run this command:
      curl https://www.net222.caisse-epargne.fr -v

      This assumes you use a default cacert bundle, but I used the one Debian
      provides in /etc/ssl/certs/ca-certificates.crt with an extra option like:
      --cacert /etc/ssl/certs/ca-certificates.crt. Or, thanks to a flaw in
      these curl versions, use -k to skip the server cert verification - but it
      will still try to extract the server cert which is what fails.

#3 - the output from curl then becomes:

* About to connect() to www.net222.caisse-epargne.fr port 443 (#0)
*   Trying 91.135.177.17... connected
* Connected to www.net222.caisse-epargne.fr (91.135.177.17) port 443 (#0)
* found 102 certificates in /etc/ssl/certs/ca-certificates.crt
* server cert verify failed: -101
* Closing connection #0
curl: (35) server cert verify failed: -101

The culprit here for you is the -101. That's 
gnutls_certificate_verify_peers2() returning GNUTLS_E_CONSTRAINT_ERROR.