GnuTLS error -73: ASN1 parser: Error in TAG.

Ray Van Dolson rvandolson at
Thu Dec 17 03:11:22 CET 2009

I'm getting this from multiple FTP clients that rely on GnuTLS when
connecting to an FTP site using explicit TLS (STARTTLS / AUTH TLS).

I suspect this is an issue with the certificate the site uses, but
would like to confirm and also learn a bit about how to troubleshoot
this sort of thing.

I tried to use gnutls-cli:

  $ gnutls-cli -V --insecure --print-cert -s -p 21
  Resolving ''...
  Connecting to ''...

  - Simple Client Mode:

  - Received[51]: 220 usplgmxfs001 FTP server (TLSFTP 1.4.2) ready.
  - Sent: 9 bytes
  - Received[18]: 234 AUTH TLS OK.
  *** Starting TLS handshake
  *** Fatal error: ASN1 parser: Error in TAG.
  *** Handshake has failed

However it doesn't really give me any specific errors here and I'm not
sure how to force it to dump the certificate in this scenario.  tcpdump
shows me that the cert _is_ being transferred, but, I guess since it's
invalid, gnutls-cli doesn't proceed any further with output.

I got a bit more info out of openssl s_client:

  $ openssl s_client -connect -starttls ftp
  468:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1316:
  468:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:828:
  468:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:748:Field=value, Type=X509_EXTENSION
  468:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:709:
  468:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 error:tasn_dec.c:578:Field=extensions, Type=X509_CINF
  468:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:748:Field=cert_info, Type=X509
  468:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 lib:s3_clnt.c:972:

So it looks like a few of the listed fields are invalid.. but, again, I
don't know how to actually dump a copy of the cert so I can look at it
more closely.

Anyone have any pointers?  Maybe someone wants to try to connect to the
site above and tell me exactly how this cert is invalid. :)


More information about the Gnutls-help mailing list