Hi Nikos, Thanks for your response. My client is a Qualcomm 6280 UMTS mobile and i am provisioning the certificate into it using the attached document.
Now if we see the command to provision the certificate on the mobile Command used:- Step6: openssl x509 ?in cacert.pem ?out SuplRootCert ?inform PEM ?outform DER It seems that we are converting the CA certificate to DER format and naming it SuplRootCert and loaded it into the mobile. This is somewhat saying that we are putting CA public key into the mobile. Therefore it seems when the step comes such that mobile has to send its certificate, it will send an empty certificate, since it does not have a client certificate. We are only told that the certificate should be of the name SuplRootCert and should be in a particular folder of a mobile. My understanding so far is that mobile should have both the CA public key and client Certificate onto it to run properly. Regards, Rajeev Saini Nikos Mavrogiannopoulos <[EMAIL PROTECTED]> Sent by: Nikos Mavrogiannopoulos <[EMAIL PROTECTED]> 10/09/2007 04:23 AM To [email protected] cc Rajeev Saini <[EMAIL PROTECTED]> Subject Re: [Help-gnutls] Windows GnuTLS problem in handshaking. On Monday 08 October 2007, Rajeev Saini wrote: Are you sure the client sends the certificate correctly? As far as I can see from the dump (below) the certificate packet sent by the client contains 10 bytes only (not really a certificate). What it the client program you are using? Ok... I've translated those bytes to TLS protocol and it seems that this client is sending "00 00 03 00 00 00" as the certificate (he means empty certificate). The normal way to send it is to send "00 00 00". The one above confuses as it seems gnutls. Does the attached patch solve this problem to you? > |<3>| HSK[ac08a8]: CERTIFICATE was received [10 bytes] > |<6>| BUF[REC][HD]: Read 6 bytes of Data(22) > |<6>| BUF[HSK]: Peeked 0 bytes of Data > |<6>| BUF[HSK]: Emptied buffer > |<6>| BUF[HSK]: Inserted 4 bytes of Data > |<6>| BUF[HSK]: Inserted 6 bytes of Data > |<2>| ASSERT: ../../../../src/gnutls-2.0.0/lib/x509/x509.c:219 > |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_cert.c:758 > |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/auth_cert.c:932 > |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_kx.c:612 > |<2>| ASSERT: ../../../src/gnutls-2.0.0/lib/gnutls_handshake.c:2568 > |<6>| BUF[HSK]: Cleared Data from buffer > > Error in handshake > Error: ASN1 parser: Error in TAG. > > |<4>| REC: Sending Alert[2|42] - Certificate is bad ForwardSourceID:NT000064D2 =====-----=====-----===== Notice: The information contained in this e-mail message and/or attachments to it may contain confidential or privileged information. If you are not the intended recipient, any dissemination, use, review, distribution, printing or copying of the information contained in this e-mail message and/or attachments to it are strictly prohibited. If you have received this communication in error, please notify us by reply e-mail or telephone and immediately and permanently delete the message and any attachments. Thank you
diff --git a/lib/auth_cert.c b/lib/auth_cert.c
index 54b4a50..a25b753 100644
--- a/lib/auth_cert.c
+++ b/lib/auth_cert.c
@@ -869,7 +869,10 @@ _gnutls_proc_x509_server_certificate (gnutls_session_t
session,
size = _gnutls_read_uint24 (p);
p += 3;
- if (size == 0)
+ /* some implementations send 00 00 03 00 00 00
+ * instead of just 00 00 00.
+ */
+ if (size == 0 || size == 3)
{
gnutls_assert ();
/* no certificate was sent */
Generate SSL certs .doc
Description: Binary data
_______________________________________________ Help-gnutls mailing list [email protected] http://lists.gnu.org/mailman/listinfo/help-gnutls
