[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

GnuTLS error -73: ASN1 parser: Error in TAG.

From: Ray Van Dolson
Subject: GnuTLS error -73: ASN1 parser: Error in TAG.
Date: Wed, 16 Dec 2009 18:11:22 -0800
User-agent: Mutt/1.5.19 (2009-01-05)

I'm getting this from multiple FTP clients that rely on GnuTLS when
connecting to an FTP site using explicit TLS (STARTTLS / AUTH TLS).

I suspect this is an issue with the certificate the site uses, but
would like to confirm and also learn a bit about how to troubleshoot
this sort of thing.

I tried to use gnutls-cli:

  $ gnutls-cli -V --insecure --print-cert -s -p 21
  Resolving ''...
  Connecting to ''...

  - Simple Client Mode:

  - Received[51]: 220 usplgmxfs001 FTP server (TLSFTP 1.4.2) ready.
  - Sent: 9 bytes
  - Received[18]: 234 AUTH TLS OK.
  *** Starting TLS handshake
  *** Fatal error: ASN1 parser: Error in TAG.
  *** Handshake has failed

However it doesn't really give me any specific errors here and I'm not
sure how to force it to dump the certificate in this scenario.  tcpdump
shows me that the cert _is_ being transferred, but, I guess since it's
invalid, gnutls-cli doesn't proceed any further with output.

I got a bit more info out of openssl s_client:

  $ openssl s_client -connect -starttls ftp
  468:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong 
  468:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 
  468:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:748:Field=value, Type=X509_EXTENSION
  468:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
  468:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 
error:tasn_dec.c:578:Field=extensions, Type=X509_CINF
  468:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:748:Field=cert_info, Type=X509
  468:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 

So it looks like a few of the listed fields are invalid.. but, again, I
don't know how to actually dump a copy of the cert so I can look at it
more closely.

Anyone have any pointers?  Maybe someone wants to try to connect to the
site above and tell me exactly how this cert is invalid. :)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]