[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-gnutls] Key usage violation in certificate
From: |
Daniel Kahn Gillmor |
Subject: |
Re: [Help-gnutls] Key usage violation in certificate |
Date: |
Thu, 30 Oct 2008 20:27:45 -0400 |
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux) |
On Thu 2008-10-30 18:40:26 -0400, Kevin P. Fleming wrote:
> I've rebuilt the server's cert with the X509v3 Key Usage set to 'Digital
> Signature' and 'Key Encipherment', but that has not solved the problem.
>
> Can someone please connect to https://origsvn.digium.com and tell me why
> GNUTLS won't accept the server's cert? Thanks.
I can't seem to connect to your server with either openssl or gnutls,
actually. Can you?
[0 address@hidden ~]$ openssl s_client -showcerts -verify 5 -connect
origsvn.digium.com:443
verify depth is 5
CONNECTED(00000003)
depth=1 /C=US/ST=Alabama/L=Huntsville/O=Digium, Inc./OU=Asterisk Development
Team/CN=Digium SVN CA/address@hidden
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 /C=US/ST=Alabama/L=Huntsville/O=Digium, Inc./OU=Asterisk Development
Team/CN=Digium SVN CA/address@hidden
verify return:1
depth=0 /C=US/ST=Alabama/L=Huntsville/O=Digium/OU=Asterisk Development
Team/CN=origsvn.digium.com/address@hidden
verify return:1
28424:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
failure:s3_pkt.c:1053:SSL alert number 40
28424:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
failure:s23_lib.c:188:
[0 address@hidden ~]$ gnutls-cli --verbose origsvn.digium.com --port 443
Resolving 'origsvn.digium.com'...
Connecting to '216.207.245.42:443'...
- Server's trusted authorities:
[0]: C=US,ST=Alabama,L=Huntsville,O=Digium\, Inc.,OU=Asterisk Development
Team,CN=Digium SVN CA,address@hidden
- Successfully sent 0 certificate(s) to server.
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed
*** Handshake has failed
GNUTLS ERROR: A TLS fatal alert has been received.
[1 address@hidden ~]$
I can apparently connect to it with LibNSS-based clients (ssltap and
iceweasel), but that's it. :(
--dkg
pgph6GKZXNHgv.pgp
Description: PGP signature