[sr #107540] iPhone/iPad TLS negotiation to postfix fails with certtool certs, works with openssl certs

Michael Rommel INVALID.NOREPLY at gnu.org
Wed Dec 8 22:26:38 CET 2010

Follow-up Comment #11, sr #107540 (project gnutls):


during debugging, I tried to apply the same patch in a second location for
the SignatureAlgorithm just after the Subject:

Line 1181 in lib/x509/common.c

     /* result = asn1_write_value (dst, name, NULL, 0); */
     result = asn1_write_value (dst, name, "x05x00", 2);

This turned out to work. Now the certificate is accepted and displayed for

RFC3279 states:
The ASN.1 object identifier used to identify this signature algorithm is:

     sha-1WithRSAEncryption OBJECT IDENTIFIER  ::=  {
         iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
         pkcs-1(1) 5  }

When any of these three OIDs appears within the ASN.1 type
AlgorithmIdentifier, the parameters component of that type SHALL be the ASN.1
type NULL.

It might be, that these two insertations are needed to conform to the

Hopefully this does not break anything else.



Reply to this item at:


  Message sent via/by Savannah

More information about the Gnutls-devel mailing list