[Pkg-gnutls-maint] Bug#481132: libgnutls26: flags key usage error where OpenSSL does not

brian m. carlson sandals at crustytoothpaste.ath.cx
Tue May 13 23:09:01 UTC 2008 

Package: libgnutls26
Version: 2.2.3-1
Severity: important

I regenerated my SSL certificates today (due to the security advisory)
and mutt now refuses to connect to my SMTP server with STARTTLS.  This
is obviously unsuitable.

Using cyrus-clients-2.3's smtptest (which uses OpenSSL) does not object
to the certificate.  You can find the old certificate, which worked
fine, at
http://crustytoothpaste.ath.cx/cgi-bin/pyca/view-cert.py/ServerCerts/server?18
.  I generated them exactly the same way, and they appear to have
exactly the same extensions.  The MTA is sendmail, which uses OpenSSL.

Feel free to test against my machine if you want.

Transcript of session:

lakeview ok % gnutls-cli -p 587 -s crustytoothpaste.ath.cx
Resolving 'crustytoothpaste.ath.cx'...
Connecting to '172.16.0.1:587'...

- Simple Client Mode:

220 crustytoothpaste.ath.cx ESMTP spoken here
EHLO lakeview.crustytoothpaste.ath.cx
250-crustytoothpaste.ath.cx Hello [172.16.3.249], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 15000000
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
STARTTLS
220 2.0.0 Ready to start TLS
*** Starting TLS handshake
*** Fatal error: Key usage violation in certificate has been detected.
*** Handshake has failed


-- System Information:
Debian Release: lenny/sid
    APT prefers unstable
    APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.25-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libgnutls26 depends on:
ii  libc6                  2.7-11            GNU C Library: Shared libraries
ii  libgcrypt11            1.4.1-1           LGPL Crypto library - runtime libr
ii  libgpg-error0          1.4-2             library for common error values an
ii  libopencdk10           0.6.6-1           Open Crypto Development Kit (OpenC
ii  libtasn1-3             1.4-1             Manage ASN.1 structures (runtime)
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

libgnutls26 recommends no packages.

-- no debconf information

-- 
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-gnutls-maint/attachments/20080513/aaeaf5b6/attachment.pgp

More information about the Pkg-gnutls-maint mailing list