[gnutls-help] The certificate chain violates the signer's constraints.

Andreas Freimuth andreas_freimuth at web.de
Tue Jun 30 15:16:50 CEST 2015 

Hi all,

I have a problem with the gnutls validating a certificate path. Can
someone tell me if it is a mistake in the Certs, or a bug in GnuTLS?

Relevent parts of the Certs:
== server.crt ==
Subject: C=US, O=Foo Bar Inc., CN=bazz.foobar.com
X509v3 Subject Alternative Name:
     DNS:update.foobar.com, DNS:mx.foobar.email

== CA ==
     X509v3 Name Constraints:
       Permitted:
         DNS:foobar.com
         DNS:foobar.email
         DirName: C = US, O = Foo Bar Inc.
       Excluded:
         DNS:www.foobar.com
         DNS:www.foobar.email
         IP:0.0.0.0/0.0.0.0
         IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0


Openssl verify says every thing is fine.
> $ openssl verify -CAfile CA-chain.crt server.crt
> server.crt: OK

But GnuTLS (3.3.8 and 3.3.15) complains:
"The certificate chain violates the signer's constraints."

> $ openssl verify -CAfile CA-chain.crt server.crt 
> server.crt: OK

> $ gnutls-serv --x509keyfile server.key --x509certfile server.crt -p 9999

(I added update.foobar.com to /etc/hosts)
> $ gnutls-cli --x509cafile CA-chain.crt -p 9999 update.foobar.com
> Processed 2 CA certificate(s).
> Resolving 'update.foobar.com'...
> Connecting to '127.0.0.1:9999'...
> - Certificate type: X.509
> - Got a certificate list of 1 certificates.
> - Certificate[0] info:
>  - subject `C=US,O=Foo Bar Inc.,CN=bazz.foobar.com', issuer `C=US,O=Foo Bar Inc.,CN=Foo Bar Sub CA 1,OU=Public Key Infrastructure', RSA key 512 bits, signed using RSA-SHA1, activated `2015-06-30 12:35:31 UTC', expires `2016-06-29 12:35:31 UTC', SHA-1 fingerprint `297d9f2e6e4246306a94a7c2a35d99fa85819485'
>         Public Key ID:
>                 f2a2f8279dff958588a4b91f94d773f4bdf06837
>         Public key's random art:
>                 +--[ RSA  512]----+
>                 |                 |
>                 |                 |
>                 |        .     .  |
>                 |       + o o o ..|
>                 |      + S o +.o o|
>                 |       = .   =+ .|
>                 |     .o.o   oo E |
>                 |   ...+o . .. . .|
>                 |  ..oo .o..      |
>                 +-----------------+
> 
> - Status: The certificate is NOT trusted. The certificate chain violates the signer's constraints. 
> *** PKI verification of server certificate failed...
> *** Fatal error: Error in the certificate.
> *** Handshake has failed
> GnuTLS error: Error in the certificate.

Thank you in advance
-- 
Andreas Freimuth
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CA-chain.crt
Type: application/pkix-cert
Size: 2092 bytes
Desc: not available
URL: </pipermail/attachments/20150630/61786779/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: server.crt
Type: application/pkix-cert
Size: 1021 bytes
Desc: not available
URL: </pipermail/attachments/20150630/61786779/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: server.key
Type: application/x-iwork-keynote-sffkey
Size: 522 bytes
Desc: not available
URL: </pipermail/attachments/20150630/61786779/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 538 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20150630/61786779/attachment.sig>

More information about the Gnutls-help mailing list