gnutls-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certt

From: Nikos Mavrogiannopoulos
Subject: Re: [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs
Date: Sun, 05 Dec 2010 16:33:12 +0100
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10 
It might be that apple is correct here, and gnutls doesn't encode
properly. I see that only on ECDSA the parameters field must be ommited
while on RSA the parameters shall be of NULL type. Thus I'd handle this
as a bug on gnutls' side and commit a fix. Thank you for bringing that
to our attention!

regards,
Nikos


On 12/05/2010 03:29 PM, Michael Rommel wrote:
> Hi Nikos,
> 
> doing the same patch you suggested in a second location:
> 
> Line 1181 in lib/x509/common.c
> 
>       /* result = asn1_write_value (dst, name, NULL, 0); */
>       result = asn1_write_value (dst, name, "\x05\x00", 2);
> 
> did do the trick. Now the certificate is accepted and displayed for 
> acceptance. I'll update the info as soon as savannah is reachable again, the 
> last hour or so, no connection was possible.
> 
> Can you please give me a little bit more information, where I can find out 
> more about the correct parameters?
> 
> RFC3279 states:
> The ASN.1 object identifier used to identify this signature algorithm
>    is:
> 
>       sha-1WithRSAEncryption OBJECT IDENTIFIER  ::=  {
>           iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
>           pkcs-1(1) 5  }
> 
>    When any of these three OIDs appears within the ASN.1 type
>    AlgorithmIdentifier, the parameters component of that type SHALL be
>    the ASN.1 type NULL.
> 
>    The RSA signature generation process and the encoding of the result
>    is described in detail in PKCS #1 [RFC 2313].
> So it is a SHOULD. But can you leave it out or what can you do, when you 
> don't want to follow the SHOULD route?
> 
> I'd try to take the info to the openssl team and Apple because it would be 
> their part now... But if the behaviour is not defined how to handle the 
> non-SHOULD way it would make it difficult.
> 
> What's you opinion on that?
> 
> Thanks a lot!
> 
>   Michael.
> 
> 
> On 5. Dec 2010, at 11:20 , Nikos Mavrogiannopoulos wrote:
> 
>>
>> Follow-up Comment #7, sr #107540 (project gnutls):
>>
>> Could you try the attached patch, on whether generates certificates that are
>> accepted by the devices?
>>
>> (file #22126)
>>    _______________________________________________________
>>
>> Additional Item Attachment:
>>
>> File name: patch.txt                      Size:0 KB
>>
>>
>>    _______________________________________________________
>>
>> Reply to this item at:
>>
>>  <http://savannah.gnu.org/support/?107540>
>>
>> _______________________________________________
>>  Message sent via/by Savannah
>>  http://savannah.gnu.org/
>>
>
reply via email to
[Prev in Thread] Current Thread [Next in Thread]