GnuTLS error -73: ASN1 parser: Error in TAG.

Nikos Mavrogiannopoulos nmav at
Fri Dec 18 11:10:17 CET 2009

Ray Van Dolson wrote:
> I'm getting this from multiple FTP clients that rely on GnuTLS when
> connecting to an FTP site using explicit TLS (STARTTLS / AUTH TLS).
> I suspect this is an issue with the certificate the site uses, but
> would like to confirm and also learn a bit about how to troubleshoot
> this sort of thing.

It seems to be an encoding error in the certificate.

> I tried to use gnutls-cli:
>   $ gnutls-cli -V --insecure --print-cert -s -p 21
>   Resolving ''...
>   Connecting to ''...
>   - Simple Client Mode:
>   - Received[51]: 220 usplgmxfs001 FTP server (TLSFTP 1.4.2) ready.
>   - Sent: 9 bytes
>   - Received[18]: 234 AUTH TLS OK.
>   *** Starting TLS handshake
>   *** Fatal error: ASN1 parser: Error in TAG.
>   *** Handshake has failed
> However it doesn't really give me any specific errors here and I'm not
> sure how to force it to dump the certificate in this scenario.  tcpdump
> shows me that the cert _is_ being transferred, but, I guess since it's
> invalid, gnutls-cli doesn't proceed any further with output.

Indeed. The handshake procedure tries to parse the certificate to
retrieve parameters and fails thus handshake is not completed in order
to return the certificate.

> So it looks like a few of the listed fields are invalid.. but, again, I
> don't know how to actually dump a copy of the cert so I can look at it
> more closely.

Maybe you could extract the certificate with wireshark.


More information about the Gnutls-help mailing list