Hello Dave, Does openssl support "S/MIME Capabilities" certificate extension? I think openssl is unable to parse this extension.
-mithun On Sat, May 18, 2013 at 1:10 AM, Dave Thompson <dthomp...@prinpay.com>wrote: > >From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar > >Sent: Friday, 17 May, 2013 08:51 > > >Is anyone aware why below error is thrown by openssl? > <trimmed> > >0D0680A8:asn1 :ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1294: > >0D07803A:asn1 :ASN1_ITEM_EX_D2I:nested :tasn_dec.c:380:Type=X509_EXTENSION > >0D08303A:asn1 :ASN1_TEMPLATE_NOEXP_D2I:nested :tasn_dec.c:710: > >0D08403A:asn1 :ASN1_TEMPLATE_EX_D2I:nested > :tasn_dec.c:578:Field=extensions, > Type=X509_CINF > >0D08303A:asn1 :ASN1_TEMPLATE_NOEXP_D2I:nested > :tasn_dec.c:749:Field=cert_info, Type=X509 > >1409000D:SSL :SSL3_GET_SERVER_CERTIFICATE:ASN1 lib:s3_clnt.c:954: > > OpenSSL was unable to decode (parse) the extensions field > of a (or the) certificate received from the server. > I *think* this is on a particular extension (rather than > the sequence-of which is the extensions field). > > Is other software able to connect to the same server, and if so, > can it export the certificate(s) received/used? (E.g. if this is > a webserver most web browsers can export certs.) If so, try > examining those cert(s) with commandline x509 -text, and if that > gets a similar error, with commandline asn1parse. Or post it(them) > for someone else to do so. All reliers are supposed to check > all extensions at least enough to see if they're 'critical', > but some reliers who don't implement or don't care might not. > > If not, see if there's a way to get the cert(s) from the server > "out of band" (not by doing an SSL handshake), or get a trace of > the handshake attempt: with commandline s_client -msg (or -debug), > or with any client and an external tool like tcpdump or wireshark. > Personally I find wireshark easy to use and its display helpful. > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >