How to detect the source of message: GnuTLS erro -48: Key usage violation in certificate has been detected

I am having an issue with FileZilla on lastest version, everytime I try connect on my ftp pure-ftpd server I get this message and can not connect:

GnuTLS erro -48: Key usage violation in certificate has been detected.

My certificates are self-signed and made from this tutorial:

Advanced PKI

With the changes:

CA-ROOT

key_Usage = critical, digitalSignature, cRLSign, keyCertSign

basicConstraints = critical, CA:true

CA-TLS

key_Usage = critical, digitalSignature, cRLSign, keyCertSign

basicConstraints = critical, CA:true, pathlen:0

TLS Server Certificate

key_Usage = critical, digitalSignature, keyAgreement

basicConstraints = critical, CA:false

extendKeyUsage = critical, serverAuth, clientAuth

From pure-ftpd I have set:

TLSCipherSuite HIGH

This include:

all ciphers using greater than 128-bit encryption

Reading the GNU documentation I have noticed:

Answer: The server you have tried to connect has its certificate
marked for encryption-only but the server uses it with a ciphersuite
that requires signing (or vice-versa). This is either due to an
attack, or due to a serious server misconfiguration. Contact the
server administrator. Because this misconfiguration problem is
widespread, other TLS/SSL implementations used by popular browsers
tolerate the violation, and several servers negotiate ciphersuites not
allowed by the certificate, newer versions of GnuTLS will also allow
such key usage violations (and will only output a warning message).

Since I have not limited the Ciphers (TLSCipherSuite HIGH), or in other words all ciphers (128 bits+) are avaliable, this is ok right?

Someone would give me please an advice where search to fix this issue?

Using old versions of FileZilla I can connect and the data about connection is:

Protocol = TLS1.2

key = ECDHE-RSA

Cipher = AES-128-GCM

MAC = AEAD

The tests about certs and concatenation are ok too, example:

openssl verify -verbose -CAfile /etc/ssl/certs/root.pem
/etc/ssl/certs/intermediate.pem

Results ok

cat /etc/ssl/certs/intermediate.pem /etc/ssl/certs/root.pem >
/tmp/test.log

openssl verify -verbose -CAfile /tmp/test.log
/etc/ssl/certs/pure-ftpd.pem

Results ok

My Web Server (Apache) with same setup works fine, and pass on all certificate online tests, the only warning is about be self-signed… On my Web Server the enabled ciphers are:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030) 256 ECDH 256-bit
(P-256) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F) 128
ECDH 256-bit (P-256) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
(0xC028) 256 ECDH 256-bit (P-256)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027) 128 ECDH 256-bit
(P-256) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014) 256 ECDH
256-bit (P-256) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013)
128 ECDH 256-bit (P-256) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
(0x9F) 256 DH 4096-bit TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
(0x9E) 128 DH 4096-bit TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
(0x6B) 256 DH 4096-bit TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
(0x67) 128 DH 4096-bit TLS_DHE_RSA_WITH_AES_256_CBC_SHA
(0x39) 256 DH 4096-bit TLS_DHE_RSA_WITH_AES_128_CBC_SHA
(0x33) 128 DH 4096-bit

Thanks in advice for all help!!!

Continue reading How to detect the source of message: GnuTLS erro -48: Key usage violation in certificate has been detected