[gnutls-help] x509 PKIs working with OpenSSL but not GnuTLS
Louis Opter
kalessin at kalessin.fr
Wed Oct 8 11:13:40 CEST 2014
Hello,
I'm trying to setup taskd [1], a server using GnuTLS on top of a custom
task synchronization protocol, and my experience so far has been
miserable.
I have three different x509 PKIs; all of them work with openssl s_client
and s_server. But two of them don't work with taskd and I can't find
why.
He are small descriptions of the three PKIs I'm using:
- pki-sans: generated using certtool nothing fancy and containing two
subject alternative names: one for a fqdn and one for an ip address;
- pki-no-sans: same thing as pki-sans without any subject alternative
name entry, I'd like to use this PKI since it's not affected by a bug
in SANs handling fixed in 3.3.6;
- pki-openvpn: a pki generated with easyrsa3 [2] and used with OpenVPN.
As far as I can understand the certs in pki-no-sans and pki-openpvn are
functionally equivalent. The only difference I can see is that my server
cert for openvpn has two more values, DirName and serial, in the
Authority Key Identifier field.
Here is what I have tried:
pki-no-sans:
| taskd | s_client |
---------+--------+----------+
taskd | KO-1 | OK |
s_server | KO-1 | OK |
pki-sans:
| taskd | s_client |
---------+--------+----------+
taskd | OK | OK |
s_server | OK | OK |
pki-openvpn:
| taskd | s_client |
---------+--------+----------+
taskd | KO-1 | OK-2 |
s_server | KO-1 | OK |
KO-1: the client says the certificate has an error.
KO-2: client says ok but the server says there is an error in the
certificate.
What can explain such differences? Why some PKIs aren't working with
GnuTLS but are working with openssl? Is there reference clients and
servers for gnutls like s_client or s_server?
All tests have been done with GnuTLS 3.3.8 compiled straight from git on
Linux. And the programs in src/tls/ in the taskd 1.1.0 branch from git.
Thanks
[1] http://taskwarrior.org/
[2] https://github.com/OpenVPN/easy-rsa
--
Louis Opter
More information about the Gnutls-help
mailing list