[sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs

Michael Rommel rommel at layer-7.net
Sun Dec 5 15:29:42 CET 2010


Hi Nikos,

doing the same patch you suggested in a second location:

Line 1181 in lib/x509/common.c

      /* result = asn1_write_value (dst, name, NULL, 0); */
      result = asn1_write_value (dst, name, "\x05\x00", 2);

did do the trick. Now the certificate is accepted and displayed for acceptance. I'll update the info as soon as savannah is reachable again, the last hour or so, no connection was possible.

Can you please give me a little bit more information, where I can find out more about the correct parameters?

RFC3279 states:
The ASN.1 object identifier used to identify this signature algorithm
   is:

      sha-1WithRSAEncryption OBJECT IDENTIFIER  ::=  {
          iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
          pkcs-1(1) 5  }

   When any of these three OIDs appears within the ASN.1 type
   AlgorithmIdentifier, the parameters component of that type SHALL be
   the ASN.1 type NULL.

   The RSA signature generation process and the encoding of the result
   is described in detail in PKCS #1 [RFC 2313].
So it is a SHOULD. But can you leave it out or what can you do, when you don't want to follow the SHOULD route?

I'd try to take the info to the openssl team and Apple because it would be their part now... But if the behaviour is not defined how to handle the non-SHOULD way it would make it difficult.

What's you opinion on that?

Thanks a lot!

  Michael.


On 5. Dec 2010, at 11:20 , Nikos Mavrogiannopoulos wrote:

> 
> Follow-up Comment #7, sr #107540 (project gnutls):
> 
> Could you try the attached patch, on whether generates certificates that are
> accepted by the devices?
> 
> (file #22126)
>    _______________________________________________________
> 
> Additional Item Attachment:
> 
> File name: patch.txt                      Size:0 KB
> 
> 
>    _______________________________________________________
> 
> Reply to this item at:
> 
>  <http://savannah.gnu.org/support/?107540>
> 
> _______________________________________________
>  Message sent via/by Savannah
>  http://savannah.gnu.org/
> 

-- 
Michael Rommel, Erlangen, Germany






More information about the Gnutls-devel mailing list