It is certainly *invalid* data received by the client. *corrupt* normally means
that correct data was sent, or at least created, and something changed it on the way to the receiver, either accidentally (such as line noise or gamma rays) or deliberately (by an attacker). Nowadays uncorrected accidental errors in Internet systems nearly never occur, so we concern ourselves mostly with attacks. The other possibility is that the data was invalid to start with (but transmitted correctly). Can you look at or have someone give you the cert file on the server? (Don't ask for the private key, just the cert; some places put them together.) 'openssl asn1parse' (commandline) will dump ASN.1 data if you have it in a file, either DER or PEM format. But here you are receiving the (purported) cert during a failed handshake, so you don't have it in a file. 'openssl s_client' with -msg or -debug will display the exact data received, before parsing, in hex. (Also data sent, which you can ignore.) It's possible but tedious to parse ASN.1 manually, but if you capture (tee or cut&paste) the hex and convert back to binary (DER) you may be able to use 'asn1parse' depending on how wrong the data is. A network capture with tcpdump or wireshark or similar can get the data; wireshark can also decode and display it in a nice GUI, again depending on how badly it's wrong, and is my first choice for easy to use. If you can capture the (Server)Cert message, or the cert in it, or get the cert file from the server, but have trouble parsing it and figuring out what's wrong, post it in a safe form preferably PEM (not an attachment). Nitpick: officially it's ASN.1 (Abstract Syntax Notation 1) or just ASN1, although there isn't and probably won't ever be any other ASN. (With that meaning; there are Autonomous System Numbers.) Kind of like PL/1 but no PL/2. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Mithun Kumar Sent: Wednesday, January 22, 2014 04:08 To: openssl-users@openssl.org Subject: *** Spam *** Re: Reason for ASN error I am looking for a tool which can dump out ASN.1 data. I think this will throw some light. Any inputs. On Wed, Jan 22, 2014 at 2:27 PM, Mithun Kumar <mithunsi...@gmail.com> wrote: I think below error is caused by corrupt data received by the client. Is my observation correct. Any idea how figure out where things are going wrong. error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 lib -mithun
