How to detect the source of message: GnuTLS erro -48: Key usage violation in certificate has been detected
I am having an issue with FileZilla on lastest version, everytime I try connect on my ftp pure-ftpd server I get this message and can not connect:
GnuTLS erro -48: Key usage violation in certificate has been detected.
My certificates are self-signed and made from this tutorial:
With the changes:
CA-ROOT
key_Usage = critical, digitalSignature, cRLSign, keyCertSign
basicConstraints = critical, CA:true
CA-TLS
key_Usage = critical, digitalSignature, cRLSign, keyCertSign
basicConstraints = critical, CA:true, pathlen:0
TLS Server Certificate
key_Usage = critical, digitalSignature, keyAgreement
basicConstraints = critical, CA:false
extendKeyUsage = critical, serverAuth, clientAuth
From pure-ftpd I have set:
TLSCipherSuite HIGH
This include:
all ciphers using greater than 128-bit encryption
Reading the GNU documentation I have noticed:
Answer: The server you have tried to connect has its certificate
marked for encryption-only but the server uses it with a ciphersuite
that requires signing (or vice-versa). This is either due to an
attack, or due to a serious server misconfiguration. Contact the
server administrator. Because this misconfiguration problem is
widespread, other TLS/SSL implementations used by popular browsers
tolerate the violation, and several servers negotiate ciphersuites not
allowed by the certificate, newer versions of GnuTLS will also allow
such key usage violations (and will only output a warning message).
Since I have not limited the Ciphers (TLSCipherSuite HIGH), or in other words all ciphers (128 bits+) are avaliable, this is ok right?
Someone would give me please an advice where search to fix this issue?
Using old versions of FileZilla I can connect and the data about connection is:
Protocol = TLS1.2
key = ECDHE-RSA
Cipher = AES-128-GCM
MAC = AEAD
The tests about certs and concatenation are ok too, example:
openssl verify -verbose -CAfile /etc/ssl/certs/root.pem
/etc/ssl/certs/intermediate.pem
Results ok
cat /etc/ssl/certs/intermediate.pem /etc/ssl/certs/root.pem >
/tmp/test.logopenssl verify -verbose -CAfile /tmp/test.log
/etc/ssl/certs/pure-ftpd.pem
Results ok
My Web Server (Apache) with same setup works fine, and pass on all certificate online tests, the only warning is about be self-signed… On my Web Server the enabled ciphers are:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC030) 256 ECDH 256-bit
(P-256) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xC02F) 128
ECDH 256-bit (P-256) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
(0xC028) 256 ECDH 256-bit (P-256)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xC027) 128 ECDH 256-bit
(P-256) TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014) 256 ECDH
256-bit (P-256) TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xC013)
128 ECDH 256-bit (P-256) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
(0x9F) 256 DH 4096-bit TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
(0x9E) 128 DH 4096-bit TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
(0x6B) 256 DH 4096-bit TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
(0x67) 128 DH 4096-bit TLS_DHE_RSA_WITH_AES_256_CBC_SHA
(0x39) 256 DH 4096-bit TLS_DHE_RSA_WITH_AES_128_CBC_SHA
(0x33) 128 DH 4096-bit
Thanks in advice for all help!!!