asn 1 parse error
Neil Spring
nspring@cs.washington.edu
Sat Oct 6 23:49:02 2001
This icky parse error can be fixed by increasing the size
of the extnValue buffer to 512. I didn't really play around
with other values between 128 and 512, and it might be
the case that an even larger buffer is necessary.
line 210 of x509_extensions.c. If you can make this
change before 0.2.4, I'd appreciate it.
I believe the extension that causes this overflow is the
following (from 'openssl x509 -in server.pem -text') :
X509v3 Authority Key Identifier:
keyid:D6:5D:C0:40:A6:D1:BA:35:D3:C4:4A:A0:26:B3:05:43:3C:FA:69:D5
DirName:/C=US/ST=Washington/L=Seattle/O=Univ Washington/CN=poplar.cs.washington.edu/Email=nspring@cs.washington.edu
serial:00
thanks,
-neil
On Sun, Sep 30, 2001 at 11:55:12PM -0700, Neil Spring wrote:
> Hi.
>
> I'm working on adding TLS support to wmbiff's IMAP client.
>
> I've got a successful client talking to my school's IMAP
> server, but it fails when handshaking with my home IMAP
> server. My imap server is either uw-imapd-ssl using the
> STARTTLS command or the same server behind sslwrap (both
> from Debian, both of which use openssl).
>
> I uncommented HANDSHAKE_DEBUG and DEBUG, and added
> an extra gnutls_log call where asn1_read_value fails and
> see the following output using 0.2.3. Lines that begin
> 'zarathustra' were generated by my program.
>
> zarathustra.saavie.org:143: got: a001 OK STARTTLS completed
> GNUTLS_ASSERT: gnutls_cert.c:231
> Handshake: CLIENT HELLO was send [50 bytes]
> Handshake: SERVER HELLO was received [74 bytes]
> Server's version: 3.1
> SessionID length: 32
> SessionID: 2dae0afeb07d804384d399b639836265328d8e962e805075580843e9bc9b8685
> Selected cipher suite: RSA_3DES_EDE_CBC_SHA
> Handshake: CERTIFICATE was received [791 bytes]
> GNUTLS_ASSERT: x509_extensions.c:266
> asn1_read_value parsing certificate2.tbsCertificate.extensions.?2.extnValue returned 12
> GNUTLS_ASSERT: gnutls_cert.c:865
> GNUTLS_ASSERT: auth_rsa.c:511
> GNUTLS_ASSERT: gnutls_kx.c:558
> GNUTLS_ASSERT: gnutls_handshake.c:1311
> GNUTLS Error: recv server certificate (-42)
> zarathustra.saavie.org:143: Handshake failed
> GNUTLS ERROR: ASN1_PARSING_ERROR
> Failed to initialize TLS
>
> The ASN1 parsing error #12 is apparently ASN_MEM_ERROR.
>
> I assume, without much basis, that this is either an
> interoperability problem with openssl or a dislike of
> openssl generated certificates. If you need any details
> or have suggestions, please let me know. It would be
> great to know I'm invoking the gnutls library correctly.
>
> I don't know if it's possible to gracefully recover from
> failure to parse the certificate and keep the encrypted
> association, but that might be handy.
>
> If this belongs instead on gnutls-dev or -help, feel free
> to forward.
>
> -neil