There is a test program in the gnutls tests/ directory called x509sign-verify.c. Can you modify it so that it reproduces the issue?
On Wed, Jun 10, 2015 at 10:24 PM, Jörg Weinhardt <[email protected]> wrote: > Hi, > > I am testing a HTTPS server and sometimes the SSL handshake fails and I > get an error at the Browser. > No I try to test the the HTTPS connection handshake only with GnuTLS and > therefore I'm using the following command line in a loop: > gnutls-cli -d 5 --verbose --insecure 192.168.92.217 < nul > > Version is gnutls-3.4.0-w32 > > Sometimes (about 1 of 50) I get the message > *** Fatal error: Public key signature verification has failed > > It is not clear for me what GnuTLS is complaining about. The HTTPS > Server should deliver always the same data. > > The debug output around the problem looks like this: > > |<3>| ASSERT: dn.c:315 > |<3>| ASSERT: dn.c:425 > |<3>| ASSERT: x509.c:551 > - Status: The certificate is NOT trusted. The certificate issuer is > unknown. The name in the certificate does not match the expec > *** PKI verification of server certificate failed... > |<3>| ASSERT: gnutls_buffers.c:1111 > |<4>| HSK[0060bfd8]: SERVER KEY EXCHANGE (12) was received. Length > 329[333], frag offset 0, frag length: 329, sequence: 0 > |<3>| ASSERT: gnutls_buffers.c:1346 > |<4>| HSK[0060bfd8]: Selected ECC curve SECP256R1 (2) > |<4>| HSK[0060bfd8]: verify handshake data: using RSA-SHA256 > |<3>| ASSERT: signature.c:329 > |<3>| ASSERT: pk.c:710 > |<3>| ASSERT: gnutls_pubkey.c:1946 > |<3>| ASSERT: gnutls_sig.c:258 > |<3>| ASSERT: gnutls_sig.c:353 > |<3>| ASSERT: cert.c:2214 > |<3>| ASSERT: gnutls_kx.c:474 > |<3>| ASSERT: gnutls_handshake.c:2782 > *** Fatal error: Public key signature verification has failed. > |<5>| REC: Sending Alert[2|80] - Internal error > > > If the handshake is ok it looks like this: > > > |<3>| ASSERT: dn.c:315 > |<3>| ASSERT: dn.c:425 > |<3>| ASSERT: x509.c:551 > - Status: The certificate is NOT trusted. The certificate issuer is > unknown. The name in the certificate does not match the expec > *** PKI verification of server certificate failed... > |<3>| ASSERT: gnutls_buffers.c:1111 > |<4>| HSK[004dbfd8]: SERVER KEY EXCHANGE (12) was received. Length > 329[333], frag offset 0, frag length: 329, sequence: 0 > |<3>| ASSERT: gnutls_buffers.c:1346 > |<4>| HSK[004dbfd8]: Selected ECC curve SECP256R1 (2) > |<4>| HSK[004dbfd8]: verify handshake data: using RSA-SHA256 > |<3>| ASSERT: signature.c:329 > |<3>| ASSERT: gnutls_buffers.c:1111 > |<4>| HSK[004dbfd8]: SERVER HELLO DONE (14) was received. Length 0[0], > frag offset 0, frag length: 1, sequence: 0 > |<3>| ASSERT: gnutls_buffers.c:1102 > |<3>| ASSERT: gnutls_buffers.c:1346 > |<3>| ASSERT: gnutls_buffers.c:1329 > |<4>| HSK[004dbfd8]: CLIENT KEY EXCHANGE was queued [70 bytes] > |<4>| REC[004dbfd8]: Sent ChangeCipherSpec > |<5>| REC[004dbfd8]: Initializing epoch #1 > > I would be happy for every hint which gets me closer to the problem. > > regards, > Joerg > > > > > > _______________________________________________ > Gnutls-help mailing list > [email protected] > http://lists.gnupg.org/mailman/listinfo/gnutls-help _______________________________________________ Gnutls-help mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnutls-help
