[Help-gnutls] Windows GnuTLS problem in handshaking.

Rajeev Saini rajeev.saini at tcs.com
Tue Oct 9 10:05:29 CEST 2007


Hi Nikos,
Thanks for your response.
My client is a Qualcomm 6280 UMTS mobile and i am provisioning the 
certificate into it using the attached document.

Now if we see the command to provision the certificate on the mobile
Command used:-
Step6: openssl x509 ?in cacert.pem ?out SuplRootCert ?inform PEM ?outform 
DER

It seems that we are converting the CA certificate to DER format and 
naming it SuplRootCert and loaded it into the mobile. This is somewhat 
saying that we are putting CA public key into the mobile.
Therefore it seems when the step comes such that mobile has to send its 
certificate, it will send an empty certificate, since it does not have a 
client certificate.
We are only told that the certificate should be of the name SuplRootCert 
and should be in a particular folder of a mobile.
My understanding so far is that mobile should have both the CA public key 
and client Certificate onto it to run properly.

Regards,
Rajeev Saini




Nikos Mavrogiannopoulos <nmav at gnutls.org> 
Sent by: Nikos Mavrogiannopoulos <n.mavrogiannopoulos at gmail.com>
10/09/2007 04:23 AM

To
help-gnutls at gnu.org
cc
Rajeev Saini <rajeev.saini at tcs.com>
Subject
Re: [Help-gnutls] Windows GnuTLS problem in handshaking.






On Monday 08 October 2007, Rajeev Saini wrote:

Are you sure the client sends the certificate correctly? As far as I can 
see 
from the dump (below) the certificate packet sent by the client contains 
10 
bytes only (not really a certificate). What it the client program you are 
using?

Ok... I've translated those bytes to TLS protocol and it seems that this 
client is sending "00 00 03 00 00 00" as the certificate (he means empty 
certificate).

The normal way to send it is to send "00 00 00". The one above confuses as 
it 
seems gnutls. Does the attached patch solve this problem to you?

> |<3>| HSK[ac08a8]: CERTIFICATE was received [10 bytes]
> |<6>| BUF[REC][HD]: Read 6 bytes of Data(22)
> |<6>| BUF[HSK]: Peeked 0 bytes of Data
> |<6>| BUF[HSK]: Emptied buffer
> |<6>| BUF[HSK]: Inserted 4 bytes of Data
> |<6>| BUF[HSK]: Inserted 6 bytes of Data
> |<2>| ASSERT: ../../../../src/gnutls-2.0.0/lib/x509/x509.c:219
> |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_cert.c:758
> |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/auth_cert.c:932
> |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_kx.c:612
> |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_handshake.c:2568
> |<6>| BUF[HSK]: Cleared Data from buffer
>
> Error in handshake
> Error: ASN1 parser: Error in TAG.
>
> |<4>| REC: Sending Alert[2|42] - Certificate is bad



ForwardSourceID:NT000064D2 
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you


-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20071009/4d069f30/attachment.htm>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch.txt
URL: </pipermail/attachments/20071009/4d069f30/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Generate SSL certs .doc
Type: application/octet-stream
Size: 29184 bytes
Desc: not available
URL: </pipermail/attachments/20071009/4d069f30/attachment.obj>


More information about the Gnutls-help mailing list