gendsa bugfix(?) and DSA question in general

tetherow Wed, 14 Jul 1999 08:41:16 -0700
First I have a question about the gendsa command in both 0.9.3a and
SNAP-19990713.  It appears that contrary to the usage command you have
to specify -des -des3 or -idea after the dsaparam-file argument on the
command line.  The offending code is in apps/gendsa.c:

 argv++;
  argc--;
  for (;;)
    {
    if (argc <= 0) break;
    if (strcmp(*argv,"-out") == 0)
      {
      if (--argc < 1) goto bad;
      outfile= *(++argv);
      }
    else if (strcmp(*argv,"-rand") == 0)
      {
      if (--argc < 1) goto bad;
      inrand= *(++argv);
      }
    else if (strcmp(*argv,"-") == 0)
      goto bad;
    else if (dsaparams == NULL)
      {
      dsaparams= *argv;
      }
#ifndef NO_DES
    else if (strcmp(*argv,"-des") == 0)
      enc=EVP_des_cbc();
    else if (strcmp(*argv,"-des3") == 0)
      enc=EVP_des_ede3_cbc();
#endif
#ifndef NO_IDEA
    else if (strcmp(*argv,"-idea") == 0)
      enc=EVP_idea_cbc();
#endif
    else
      goto bad;
    argv++;
    argc--;
}

If the else if (dsaparams == NULL) case is moved below the NO_IDEA
endif the the command should work as advertised.

Now for a DSA question in general.  I have tried to create a dsa
certificate for use with the serv and cli in demos/ssl and keep getting
the following error from the server:
  19167:error:1407D0E5:SSL routines:SSL2_READ:ssl handshake failure:s2_pkt.c:99:

And this is what the client reports:
  19170:error:0D06B078:asn1 encoding routines:ASN1_get_object:header too 
long:asn1_lib.c:139:
  19170:error:0D09F006:asn1 encoding routines:d2i_X509:bad get asn1 object 
call:x_x509.c:97:address=134935408 offset=0
  19170:error:1407E00B:SSL routines:SSL2_SET_CERTIFICATE:X509 lib:s2_clnt.c:891:

To generate the ca to sign the certificate I used:
  gendsa -out ca.key dsaparam.pem -des3
  req -new -x509 -days 365 -key ca.key -out ca.crt

I then generate the certificate with:
  gendsa -out server.key dsaparam.pem -des3
  req -new -days 365 -key server.key -out server.csr

And using the sign.sh that is distributed with mod_ssl I sign the
server.csr with
  sign.sh server.csr
which gives me a server.crt.  This process is basically the same as the
rsa generation process as listed in the modssl FAQ with my cheap
attempt to convert it to dsa.  I am obviously missing something and if
someone could point me in the right direction I would greatly
appreciate it.  Everything works fine using RSA in the above scheme...

------------------------------------------------------------------------
Sam Tetherow                           [EMAIL PROTECTED]
Director of Development
Nebrask@ Online                        http://www.nol.org/

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
gendsa bugfix(?) and DSA question in general

Reply via email to
