On Wednesday 30 March 2005 18:19, Andreas Thienemann wrote: > Hi, > I'm having a problem with programs linked agains gnutls 1.0.20 (and other > version). > When connecting to our servers these tools fail the Handshake with the > following message: > #### snip #### > ## [EMAIL PROTECTED] /tmp]# gnutls-cli > ## ca.bawue.net > ## Resolving 'ca.bawue.net'... > ## Connecting to '193.7.176.6:443'... > ## *** Fatal error: Key usage violation in certificate has been detected. > ## *** Handshake has failed > ## GNUTLS ERROR: Key usage violation in certificate has been detected. > #### snip ####
> >From my understanding of x509 keys, this means that the certificate is > used in a way which does not correspond with the allowed usage cases. Correct. Gnutls checks the key usage X.509 certificate extension. That is, for example, if the RSA key is marked encrypt only, you cannot use the DHE_RSA algorithm that requires signing. > However, checking the cert with the openssl command gives the following > info, which shows that there shouldn't be any problems as the key is > cert is defined to be used as a SSL Server. Use the output of certtool or the -text output of openssl x509. Try ./certtool -i <server.crt > #### snip #### > ## [EMAIL PROTECTED] /tmp]# openssl x509 -noout -purpose -in server.crt > ## Certificate purposes: gnutls does not check the purpose, but rather the key usage. > thanks, > andreas -- Nikos Mavrogiannopoulos _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
