Patches gpg-agent + scute for ssl/tls auth using opengpg card with 2048 rsa key

Oliver Winker oliverml1 at
Tue Sep 2 21:45:46 CEST 2014


On Tuesday 02 September 2014 14:17:40 Damien Goutte-Gattat wrote:
> First of all, your patches work for me and I thank you for that, I was
> struggling to make Scute work with a recent Firefox.

Good :)

> But, are you sure this has anything to do with the size of the RSA key?

No ;)

> It seems that the problem you are addressing is rather caused by a
> change between TLS 1.1 (or less) and TLS 1.2.

Very well possible. I'm not enough in these protocol details to tell for sure. 
Just debugged it and worked through the error path. 

> Indeed, disabling TLS 1.2 in Firefox (by setting the variable
> security.tls.version.max to "2" instead of "3" in about:config) is
> enough to make Scute work for me, even with a 2048-bit RSA key and even
> without your patches.
> According to a bug report in Mozilla’s NSS library [1], the change
> introduced by TLS 1.2 is that the data to be signed is no longer a
> "MD5+SHA1 hash" (36 bytes, which is the length expected by GPG-Agent),
> but is instead an ASN.1 structure representing a DigestInfo object (35
> or 51 bytes total, depending on the hash used).

This sounds indeed interesting and plausible then. 

Actually therefore I submitted the patch with some "imprecision margin", so 
that someone who better knows the subjects can put these details right.

Best Regards, Oliver

More information about the Gnupg-devel mailing list