[sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs

Nikos Mavrogiannopoulos nmav at gnutls.org
Sun Dec 5 16:33:12 CET 2010 

It might be that apple is correct here, and gnutls doesn't encode
properly. I see that only on ECDSA the parameters field must be ommited
while on RSA the parameters shall be of NULL type. Thus I'd handle this
as a bug on gnutls' side and commit a fix. Thank you for bringing that
to our attention!

regards,
Nikos


On 12/05/2010 03:29 PM, Michael Rommel wrote:
> Hi Nikos,
> 
> doing the same patch you suggested in a second location:
> 
> Line 1181 in lib/x509/common.c
> 
>       /* result = asn1_write_value (dst, name, NULL, 0); */
>       result = asn1_write_value (dst, name, "\x05\x00", 2);
> 
> did do the trick. Now the certificate is accepted and displayed for acceptance. I'll update the info as soon as savannah is reachable again, the last hour or so, no connection was possible.
> 
> Can you please give me a little bit more information, where I can find out more about the correct parameters?
> 
> RFC3279 states:
> The ASN.1 object identifier used to identify this signature algorithm
>    is:
> 
>       sha-1WithRSAEncryption OBJECT IDENTIFIER  ::=  {
>           iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
>           pkcs-1(1) 5  }
> 
>    When any of these three OIDs appears within the ASN.1 type
>    AlgorithmIdentifier, the parameters component of that type SHALL be
>    the ASN.1 type NULL.
> 
>    The RSA signature generation process and the encoding of the result
>    is described in detail in PKCS #1 [RFC 2313].
> So it is a SHOULD. But can you leave it out or what can you do, when you don't want to follow the SHOULD route?
> 
> I'd try to take the info to the openssl team and Apple because it would be their part now... But if the behaviour is not defined how to handle the non-SHOULD way it would make it difficult.
> 
> What's you opinion on that?
> 
> Thanks a lot!
> 
>   Michael.
> 
> 
> On 5. Dec 2010, at 11:20 , Nikos Mavrogiannopoulos wrote:
> 
>>
>> Follow-up Comment #7, sr #107540 (project gnutls):
>>
>> Could you try the attached patch, on whether generates certificates that are
>> accepted by the devices?
>>
>> (file #22126)
>>    _______________________________________________________
>>
>> Additional Item Attachment:
>>
>> File name: patch.txt                      Size:0 KB
>>
>>
>>    _______________________________________________________
>>
>> Reply to this item at:
>>
>>  <http://savannah.gnu.org/support/?107540>
>>
>> _______________________________________________
>>  Message sent via/by Savannah
>>  http://savannah.gnu.org/
>>
>

More information about the Gnutls-devel mailing list