Fwd: [Help-gnutls] GnuTLS 2.2.1 problem returning GNUTLS_E_CONSTRAINT_ERROR
Daniel Stenberg
daniel at haxx.se
Sat Feb 16 14:25:12 CET 2008
On Sat, 16 Feb 2008, Nikos Mavrogiannopoulos wrote:
>> The culprit here for you is the -101. That's
>> gnutls_certificate_verify_peers2() returning GNUTLS_E_CONSTRAINT_ERROR.
>
> I can see two cases where this can be returned.
> 1. the verify depth of the certificate is quite high (ie the chain
> being verified is long).
> The default maximum depth is 6. Although it is possible to have such
> long chain, it is most probably
> a configuration error if the server sends more than 6 certificates.
> - this limit can be adjusted by gnutls_certificate_set_verify_limits()
>
> 2. the key bits of the certificates are longer than the maximum allowed
> (8200). this limit can also be adjusted by the same function.
But seeing this is a live server used by mere mortals out there (it is a bank
after all), wouldn't it perhaps be an indication that the defaults are a bit
too restrictive? Also, both OpenSSL and Firefox (NSS) deal with it by default.
However, I tried adding this:
gnutls_certificate_set_verify_limits(conn->ssl[sockindex].cred,
20200, 18);
Is there any way for me to figure out sensible values for me to set to this
function? I just upped them a couple of times until the function worked!
And yes, it now makes gnutls_certificate_verify_peers2() return success but
then... verify_status still contained the GNUTLS_CERT_INVALID bit. So
something still isn't liking this server!
More information about the Gnutls-help
mailing list