Re: Fatal error: Key usage violation in certificate has been detected

[Daniel Kahn Gillmor]

On 10/23/2009 01:46 PM, Goffredo Baroncelli wrote:
> Could someone help me to confirm that the problem is 
> the certificate even in this case?

here's a quick way to check with openssl (sorry i'm not using gnutls tools
-- if someone wants to show the same thing with gnutls tools i'd gladly
learn).

0 address@hidden:~$ echo | openssl s_client -connect google.com:443 2>/dev/null 
| openssl x509 -noout -text  | grep -i -A1 usage 
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
0 address@hidden:~$ echo | openssl s_client -connect authsrs.alice.it:443 
2>/dev/null | openssl x509 -noout -text  | grep -i -A1 usage 
            X509v3 Key Usage: 
                Key Encipherment
0 address@hidden:~$ 

note that google's certificate allows "TLS Web Server Authentication",
but authsrs.alice.it's certificate does not.  I think that's the root
of your problem.

> And if it is the case (and I think that it IS the case), which possibles 
> workarounds exist ?

Maybe there's a GnuTLS priority string you can set to disable usage flag
checking as a workaround?  if there is, i couldn't find it here:

 
http://www.gnu.org/software/gnutls/manual/html_node/Core-functions.html#gnutls_priority_set

seems like they should reall use a certificate with the right usage 
flags set, though.

hth,

        --dkg

signature.asc
Description: OpenPGP digital signature