On Fri, Jul 27, 2012, Albers, Thorsten wrote: > Hi, > I have a problem with the openssl s_server (v1.0.1c) when requesting a client > certificate. I'm developing my own TLS 1.2 implementation (for embedded > platforms), and I'm stuck with a problem with using the client certificate. I > already implemented TLS 1.0 earlier, so it's not completely new for me, and > it worked fine even with client certificates. > My current implementation can handle TLS 1.2 handshakes without client > authentication, as well as TLS 1.0 with or without client authentication. > When I try to connect to the openssl server, the handshake goes as far as the > client having sent its messages up to (including) 'change cipher spec'. But > then the server sends an alarm (decrypt error). The openssl server console > tells me some strange error: > > ACCEPT > bad gethostbyaddr > depth=1 CN = TestAndDevRootAuthority > verify return:1 > depth=0 CN = MyClient > verify return:1 > 1696:error:0D07209B:asn1 encoding routines:ASN1_get_object:too > long:.\crypto\asn1\asn1_lib.c:142: > 1696:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object > header:.\crypto\asn1\tasn_dec.c:1306: > 1696:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 > error:.\crypto\asn1\tasn_dec.c:381:Type=X509_SIG > > 1696:error:1408807B:SSL routines:SSL3_GET_CERT_VERIFY:bad > signature:.\ssl\s3_srvr.c:3049: > 1696:error:140780E5:SSL routines:SSL23_READ:ssl handshake > failure:.\ssl\s23_lib.c:131: > ACCEPT >
For previous versions of TLS the signature for RSA is a raw MD5+SHA1 concatenation. For TLS 1.2 it is the DigestInfo structure instead using whatever digest is appropriate. That error looks like OpenSSL is trying to interpret an MD5+SHA1 signature as a DigestInfo and choking on it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org