cURL / Mailing Lists / curl-library / Single Mail


Key use of test certificate

From: Dan Fandrich <>
Date: Wed, 23 Jul 2014 00:27:23 +0200

I looked into why test 310 is failing to run on a CyaSSL build with a
"failed starting HTTPS server (stunnel)" error. The answer is that the server
verification is failing with

  * SSL_connect failed with error -283: Key Use digitalSignature not set Error

CyaSSL doesn't like that the certificate that stunnel is using
(tests/certs/Server-localhost-sv.pem) does not have the digitalSignature key
usage extension bit 0x100 set. The certificate does have the
keyEncipherment bit set, but no others. I'm no X.509 expert, but my reading of
RFC 5280 is that this bit is not needed when verifying certificate signatures,
which I imagine is all that's needed here. If that's the case, then CyaSSL is
in the wrong. Otherwise, we'd have to regenerate that cert to add the bit.
However, checking random certs on web sites, 9 out of 10 had both bits set, so
for that reason I'm leaning towards regenerating our certs with this bit.

Does anyone have any idea which side is right here?

>>> Dan
List admin:
Received on 2014-07-23