Szerteszana²

grin agymenései

Recording the fight won against gnuTLS

2012-02-29 22:56:11 írta grin
Maybe someone googles for this...

After an upgrade exim TLS barfs on several connection saying
 (gnutls_handshake): Could not negotiate a supported cipher suite.
or maybe
 (gnutls_handshake): An unexpected TLS packet was received.

All these are caused by the fuckin' gnutls update, which completely starts vomiting when fed by OpenSSL generated key files and/or certificates. In my case I had to regenerate the certificate of the key by:
certtool --generate-certificate --load-request host.req  --outfile host.crt --load-ca-certificate CA/cacert.pem   --load-ca-privkey CA/private/cakey.pem
but had to realise that certtol (of GNUTLS) simply cannot handle encrypted key of the CA, and keeps telling completely stupid error messages, like
certtool: importing --load-privkey: (null): Base64 decoding error.
and some may have realised that I did not even use --load-privkey option. Oh well. Turned out it's the encoded CA private key. So first it has to be decoded, not by GNUTLS of course since it chokes on it but openssl:
openssl rsa < ca.key > ca-fsck.key
which is obviosuly a very secure way to handle a CA key. Anyway, now the generate-certificate works and tries to create a new cert. Of course extended fields are a way off unless you go on and check all the possible options of the template.
After all this mess it works with the old host key and the new host certificate. Boo-hoo.

Recording the fight won against gnuTLS

Szerteszana²

grin agymenései