[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certt
From: |
Nikos Mavrogiannopoulos |
Subject: |
Re: [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs |
Date: |
Sun, 05 Dec 2010 16:33:12 +0100 |
User-agent: |
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.15) Gecko/20101027 Thunderbird/3.0.10 |
It might be that apple is correct here, and gnutls doesn't encode
properly. I see that only on ECDSA the parameters field must be ommited
while on RSA the parameters shall be of NULL type. Thus I'd handle this
as a bug on gnutls' side and commit a fix. Thank you for bringing that
to our attention!
regards,
Nikos
On 12/05/2010 03:29 PM, Michael Rommel wrote:
> Hi Nikos,
>
> doing the same patch you suggested in a second location:
>
> Line 1181 in lib/x509/common.c
>
> /* result = asn1_write_value (dst, name, NULL, 0); */
> result = asn1_write_value (dst, name, "\x05\x00", 2);
>
> did do the trick. Now the certificate is accepted and displayed for
> acceptance. I'll update the info as soon as savannah is reachable again, the
> last hour or so, no connection was possible.
>
> Can you please give me a little bit more information, where I can find out
> more about the correct parameters?
>
> RFC3279 states:
> The ASN.1 object identifier used to identify this signature algorithm
> is:
>
> sha-1WithRSAEncryption OBJECT IDENTIFIER ::= {
> iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
> pkcs-1(1) 5 }
>
> When any of these three OIDs appears within the ASN.1 type
> AlgorithmIdentifier, the parameters component of that type SHALL be
> the ASN.1 type NULL.
>
> The RSA signature generation process and the encoding of the result
> is described in detail in PKCS #1 [RFC 2313].
> So it is a SHOULD. But can you leave it out or what can you do, when you
> don't want to follow the SHOULD route?
>
> I'd try to take the info to the openssl team and Apple because it would be
> their part now... But if the behaviour is not defined how to handle the
> non-SHOULD way it would make it difficult.
>
> What's you opinion on that?
>
> Thanks a lot!
>
> Michael.
>
>
> On 5. Dec 2010, at 11:20 , Nikos Mavrogiannopoulos wrote:
>
>>
>> Follow-up Comment #7, sr #107540 (project gnutls):
>>
>> Could you try the attached patch, on whether generates certificates that are
>> accepted by the devices?
>>
>> (file #22126)
>> _______________________________________________________
>>
>> Additional Item Attachment:
>>
>> File name: patch.txt Size:0 KB
>>
>>
>> _______________________________________________________
>>
>> Reply to this item at:
>>
>> <http://savannah.gnu.org/support/?107540>
>>
>> _______________________________________________
>> Message sent via/by Savannah
>> http://savannah.gnu.org/
>>
>
- [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs, (continued)
- [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs, Nikos Mavrogiannopoulos, 2010/12/05
- [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs, Andreas Metzler, 2010/12/05
- [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs, Michael Rommel, 2010/12/05
- [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs, Nikos Mavrogiannopoulos, 2010/12/05
- [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs, Nikos Mavrogiannopoulos, 2010/12/05
- Message not available
- [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs, Michael Rommel, 2010/12/05
- [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs, Michael Rommel, 2010/12/05
- [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs, Michael Rommel, 2010/12/08
- [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs, Nikos Mavrogiannopoulos, 2010/12/08
- Re: [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs, Michael Rommel, 2010/12/06
- Re: [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs,
Nikos Mavrogiannopoulos <=
- Re: [sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs, Michael Rommel, 2010/12/06