Re: [Help-gnutls] Key usage violation in certificate

[Daniel Kahn Gillmor]

On Thu 2008-10-30 18:40:26 -0400, Kevin P. Fleming wrote:

> I've rebuilt the server's cert with the X509v3 Key Usage set to 'Digital
> Signature' and 'Key Encipherment', but that has not solved the problem.
>
> Can someone please connect to https://origsvn.digium.com and tell me why
> GNUTLS won't accept the server's cert? Thanks.

I can't seem to connect to your server with either openssl or gnutls,
actually.  Can you?  

[0 address@hidden ~]$ openssl s_client -showcerts -verify 5 -connect 
origsvn.digium.com:443
verify depth is 5
CONNECTED(00000003)
depth=1 /C=US/ST=Alabama/L=Huntsville/O=Digium, Inc./OU=Asterisk Development 
Team/CN=Digium SVN CA/address@hidden
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 /C=US/ST=Alabama/L=Huntsville/O=Digium, Inc./OU=Asterisk Development 
Team/CN=Digium SVN CA/address@hidden
verify return:1
depth=0 /C=US/ST=Alabama/L=Huntsville/O=Digium/OU=Asterisk Development 
Team/CN=origsvn.digium.com/address@hidden
verify return:1
28424:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake 
failure:s3_pkt.c:1053:SSL alert number 40
28424:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake 
failure:s23_lib.c:188:
[0 address@hidden ~]$ gnutls-cli --verbose  origsvn.digium.com --port 443
Resolving 'origsvn.digium.com'...
Connecting to '216.207.245.42:443'...
- Server's trusted authorities:
   [0]: C=US,ST=Alabama,L=Huntsville,O=Digium\, Inc.,OU=Asterisk Development 
Team,CN=Digium SVN CA,address@hidden
- Successfully sent 0 certificate(s) to server.
*** Fatal error: A TLS fatal alert has been received.
*** Received alert [40]: Handshake failed
*** Handshake has failed
GNUTLS ERROR: A TLS fatal alert has been received.
[1 address@hidden ~]$ 

I can apparently connect to it with LibNSS-based clients (ssltap and
iceweasel), but that's it. :(

   --dkg

pgph6GKZXNHgv.pgp
Description: PGP signature