Kevin P. Fleming wrote: > Nikos Mavrogiannopoulos wrote: > >> It seems gnutls fails because the (client) certificate it uses for >> authentication it doesn't support signing (and TLS client certificates >> must support it). >> >> Check (with certtool -i) if the client certificate contains the >> following lines: >> >> Key Usage (critical): >> Digital signature. > > Yes, I used openssl's pkcs12 command to extract the cert from the .p12 > file that it lives in, then used 'certtool -i --infile cert.pem', and > this is the output:
Could it be then that libneon selected a wrong certificate from the pkcs12 file? Does it use gnutls_certificate_set_x509_simple_pkcs12_file()? I quick glimpsed gnutls_certificate_set_x509_simple_pkcs12_file() and looks very simple thus might add the first certificate no matter if it corresponds to the key. In that case it is a gnutls bug and will be fixed. (workaround: use a single certificate in the pkcs12 file). regards, Nikos _______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
