[Pkg-gnutls-maint] Bug#481132: Bug#481132: libgnutls26: flags key usage error where OpenSSL does not
Simon Josefsson
simon at josefsson.org
Wed May 14 15:42:45 UTC 2008
"brian m. carlson" <sandals at crustytoothpaste.ath.cx> writes:
> Package: libgnutls26
> Version: 2.2.3-1
> Severity: important
>
> I regenerated my SSL certificates today (due to the security advisory)
> and mutt now refuses to connect to my SMTP server with STARTTLS. This
> is obviously unsuitable.
>
> Using cyrus-clients-2.3's smtptest (which uses OpenSSL) does not object
> to the certificate. You can find the old certificate, which worked
> fine, at
> http://crustytoothpaste.ath.cx/cgi-bin/pyca/view-cert.py/ServerCerts/server?18
> . I generated them exactly the same way, and they appear to have
> exactly the same extensions. The MTA is sendmail, which uses OpenSSL.
>
> Feel free to test against my machine if you want.
>
> Transcript of session:
>
> lakeview ok % gnutls-cli -p 587 -s crustytoothpaste.ath.cx
Hi! Thanks for the report. Unfortunately, I think your certificate is
incorrect, you'll need the digitalSignature Key Usage Bit as well.
RFC 2246 and 4346:
DHE_RSA RSA public key that can be used for
signing.
...
All certificate profiles and key and cryptographic formats are
defined by the IETF PKIX working group [PKIX]. When a key usage
extension is present, the digitalSignature bit MUST be set for the
key to be eligible for signing, as described above, and the
keyEncipherment bit MUST be present to allow encryption, as described
above. The keyAgreement bit must be set on Diffie-Hellman
certificates.
See a similar recent report:
http://thread.gmane.org/gmane.comp.encryption.gpg.gnutls.devel/2788/focus=2789
/Simon
More information about the Pkg-gnutls-maint
mailing list