asn 1 parse error

Neil Spring nspring at
Sat Oct 6 23:49:02 CEST 2001

This icky parse error can be fixed by increasing the size
of the extnValue buffer to 512. I didn't really play around
with other values between 128 and 512, and it might be
the case that an even larger buffer is necessary.

line 210 of x509_extensions.c.   If you can make this
change before 0.2.4, I'd appreciate it.

I believe the extension that causes this overflow is the
following (from 'openssl x509 -in server.pem -text') :

     X509v3 Authority Key Identifier: 
       DirName:/C=US/ST=Washington/L=Seattle/O=Univ Washington/ at


On Sun, Sep 30, 2001 at 11:55:12PM -0700, Neil Spring wrote:
> Hi.
> I'm working on adding TLS support to wmbiff's IMAP client.
> I've got a successful client talking to my school's IMAP
> server, but it fails when handshaking with my home IMAP
> server.  My imap server is either uw-imapd-ssl using the
> STARTTLS command or the same server behind sslwrap (both
> from Debian, both of which use openssl).
> I uncommented HANDSHAKE_DEBUG and DEBUG, and added
> an extra gnutls_log call where asn1_read_value fails and
> see the following output using 0.2.3.  Lines that begin
> 'zarathustra' were generated by my program.
> got: a001 OK STARTTLS completed
> GNUTLS_ASSERT: gnutls_cert.c:231
> Handshake: CLIENT HELLO was send [50 bytes]
> Handshake: SERVER HELLO was received [74 bytes]
> Server's version: 3.1
> SessionID length: 32
> SessionID: 2dae0afeb07d804384d399b639836265328d8e962e805075580843e9bc9b8685
> Selected cipher suite: RSA_3DES_EDE_CBC_SHA
> Handshake: CERTIFICATE was received [791 bytes]
> GNUTLS_ASSERT: x509_extensions.c:266
> asn1_read_value parsing certificate2.tbsCertificate.extensions.?2.extnValue returned 12
> GNUTLS_ASSERT: gnutls_cert.c:865
> GNUTLS_ASSERT: auth_rsa.c:511
> GNUTLS_ASSERT: gnutls_kx.c:558
> GNUTLS_ASSERT: gnutls_handshake.c:1311
> GNUTLS Error: recv server certificate (-42)
> Handshake failed
> Failed to initialize TLS
> The ASN1 parsing error #12 is apparently ASN_MEM_ERROR.
> I assume, without much basis, that this is either an
> interoperability problem with openssl or a dislike of
> openssl generated certificates.  If you need any details
> or have suggestions, please let me know.  It would be
> great to know I'm invoking the gnutls library correctly.
> I don't know if it's possible to gracefully recover from
> failure to parse the certificate and keep the encrypted
> association, but that might be handy.
> If this belongs instead on gnutls-dev or -help, feel free
> to forward.
> -neil

More information about the Gnutls-devel mailing list