>From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar >Sent: Friday, 17 May, 2013 08:51
>Is anyone aware why below error is thrown by openssl? <trimmed> >0D0680A8:asn1 :ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1294: >0D07803A:asn1 :ASN1_ITEM_EX_D2I:nested :tasn_dec.c:380:Type=X509_EXTENSION >0D08303A:asn1 :ASN1_TEMPLATE_NOEXP_D2I:nested :tasn_dec.c:710: >0D08403A:asn1 :ASN1_TEMPLATE_EX_D2I:nested :tasn_dec.c:578:Field=extensions, Type=X509_CINF >0D08303A:asn1 :ASN1_TEMPLATE_NOEXP_D2I:nested :tasn_dec.c:749:Field=cert_info, Type=X509 >1409000D:SSL :SSL3_GET_SERVER_CERTIFICATE:ASN1 lib:s3_clnt.c:954: OpenSSL was unable to decode (parse) the extensions field of a (or the) certificate received from the server. I *think* this is on a particular extension (rather than the sequence-of which is the extensions field). Is other software able to connect to the same server, and if so, can it export the certificate(s) received/used? (E.g. if this is a webserver most web browsers can export certs.) If so, try examining those cert(s) with commandline x509 -text, and if that gets a similar error, with commandline asn1parse. Or post it(them) for someone else to do so. All reliers are supposed to check all extensions at least enough to see if they're 'critical', but some reliers who don't implement or don't care might not. If not, see if there's a way to get the cert(s) from the server "out of band" (not by doing an SSL handshake), or get a trace of the handshake attempt: with commandline s_client -msg (or -debug), or with any client and an external tool like tcpdump or wireshark. Personally I find wireshark easy to use and its display helpful. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
