[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Fatal error: Key usage violation in certificate has been detected
From: |
Daniel Kahn Gillmor |
Subject: |
Re: Fatal error: Key usage violation in certificate has been detected |
Date: |
Fri, 23 Oct 2009 17:09:27 -0400 |
User-agent: |
Mozilla-Thunderbird 2.0.0.22 (X11/20090701) |
On 10/23/2009 01:46 PM, Goffredo Baroncelli wrote:
> Could someone help me to confirm that the problem is
> the certificate even in this case?
here's a quick way to check with openssl (sorry i'm not using gnutls tools
-- if someone wants to show the same thing with gnutls tools i'd gladly
learn).
0 address@hidden:~$ echo | openssl s_client -connect google.com:443 2>/dev/null
| openssl x509 -noout -text | grep -i -A1 usage
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
0 address@hidden:~$ echo | openssl s_client -connect authsrs.alice.it:443
2>/dev/null | openssl x509 -noout -text | grep -i -A1 usage
X509v3 Key Usage:
Key Encipherment
0 address@hidden:~$
note that google's certificate allows "TLS Web Server Authentication",
but authsrs.alice.it's certificate does not. I think that's the root
of your problem.
> And if it is the case (and I think that it IS the case), which possibles
> workarounds exist ?
Maybe there's a GnuTLS priority string you can set to disable usage flag
checking as a workaround? if there is, i couldn't find it here:
http://www.gnu.org/software/gnutls/manual/html_node/Core-functions.html#gnutls_priority_set
seems like they should reall use a certificate with the right usage
flags set, though.
hth,
--dkg
signature.asc
Description: OpenPGP digital signature