Fatal error: Key usage violation in certificate has been detected

Hi all,

I used freepops [*] to download my email from my provider (www.alice.it). If
freepops uses the https protocol I get the following error

   *** Fatal error: Key usage violation in certificate has been detected.
   *** Handshake has failed

After googling, I discovered that:
- freepops uses the GNU tls library
- the error message seems to be an GNU tls library error
- the problem is also reproducible with the following command

   ghigo@venice:~$ gnutls-cli -p 443 authsrs.alice.it
   Resolving 'authsrs.alice.it'...
   Connecting to '81.74.238.31:443'...
   *** Fatal error: Key usage violation in certificate has been detected.
   *** Handshake has failed
   GNUTLS ERROR: Key usage violation in certificate has been detected.

Note: "authsrs.alice.it" is the server resposible for the user authentication
of the webmail interface. My idea is that there is a problem between the
authsrs.alice.it https certificate and gnutls, that causes the freepops
failure.

I am not an expert about the certificates. Looking in the gnutls mailing list,
I found some similar bugs report, and in these cases the conclusions were an
incorrect certificate.  Could someone help me to confirm that the problem is
the certificate even in this case?
And if it is the case (and I think that it IS the case), which possibles
workarounds exist ?

TIA & BR
G.Baroncelli.

NB: please cc'me in the reply, because I am not subscribed to the mailing
list.

[*] FreePOPs allows access to the most varied resources through the POP3
protocol. Mainly, it can be used to download mail from a webmail interface,
when it is not available a pop3 protocol.

--
gpg key@ keyserver.linux.it: Goffredo Baroncelli (ghigo) <kreijackATinwind.it>
Key fingerprint = 4769 7E51 5293 D36C 814E  C054 BF04 F161 3DC5 0512


_______________________________________________
Gnutls-devel mailing list
Gnutls-devel@...
http://lists.gnu.org/mailman/listinfo/gnutls-devel

On 10/23/2009 01:46 PM, Goffredo Baroncelli wrote:
> Could someone help me to confirm that the problem is
> the certificate even in this case?

here's a quick way to check with openssl (sorry i'm not using gnutls tools
-- if someone wants to show the same thing with gnutls tools i'd gladly
learn).

0 dkg@pip:~$ echo | openssl s_client -connect google.com:443 2>/dev/null | openssl x509 -noout -text  | grep -i -A1 usage
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
0 dkg@pip:~$ echo | openssl s_client -connect authsrs.alice.it:443 2>/dev/null | openssl x509 -noout -text  | grep -i -A1 usage
            X509v3 Key Usage:
                Key Encipherment
0 dkg@pip:~$

note that google's certificate allows "TLS Web Server Authentication",
but authsrs.alice.it's certificate does not.  I think that's the root
of your problem.

> And if it is the case (and I think that it IS the case), which possibles
> workarounds exist ?

Maybe there's a GnuTLS priority string you can set to disable usage flag
checking as a workaround?  if there is, i couldn't find it here:

 http://www.gnu.org/software/gnutls/manual/html_node/Core-functions.html#gnutls_priority_set

seems like they should reall use a certificate with the right usage
flags set, though.

hth,

        --dkg



_______________________________________________
Gnutls-devel mailing list
Gnutls-devel@...
http://lists.gnu.org/mailman/listinfo/gnutls-devel

Daniel Kahn Gillmor wrote:

I can see that the certificate allow:
            X509v3 Key Usage:
                Key Encipherment

and that means it will issue key usage violation for all ciphersuites
except for RSA (not even DHE-RSA, just RSA). Thus the server sending
this certificate must be configured to disable all other ciphersuites.

regards,
Nikos


_______________________________________________
Gnutls-devel mailing list
Gnutls-devel@...
http://lists.gnu.org/mailman/listinfo/gnutls-devel