Hello Dave,

Does openssl support "S/MIME Capabilities" certificate extension? I think
openssl is unable to parse this extension.

-mithun


On Sat, May 18, 2013 at 1:10 AM, Dave Thompson <dthomp...@prinpay.com>wrote:

> >From: owner-openssl-us...@openssl.org On Behalf Of Mithun Kumar
> >Sent: Friday, 17 May, 2013 08:51
>
> >Is anyone aware why below error is thrown by openssl?
> <trimmed>
> >0D0680A8:asn1 :ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1294:
> >0D07803A:asn1 :ASN1_ITEM_EX_D2I:nested :tasn_dec.c:380:Type=X509_EXTENSION
> >0D08303A:asn1 :ASN1_TEMPLATE_NOEXP_D2I:nested :tasn_dec.c:710:
> >0D08403A:asn1 :ASN1_TEMPLATE_EX_D2I:nested
> :tasn_dec.c:578:Field=extensions,
> Type=X509_CINF
> >0D08303A:asn1 :ASN1_TEMPLATE_NOEXP_D2I:nested
> :tasn_dec.c:749:Field=cert_info, Type=X509
> >1409000D:SSL :SSL3_GET_SERVER_CERTIFICATE:ASN1 lib:s3_clnt.c:954:
>
> OpenSSL was unable to decode (parse) the extensions field
> of a (or the) certificate received from the server.
> I *think* this is on a particular extension (rather than
> the sequence-of which is the extensions field).
>
> Is other software able to connect to the same server, and if so,
> can it export the certificate(s) received/used? (E.g. if this is
> a webserver most web browsers can export certs.) If so, try
> examining those cert(s) with commandline x509 -text, and if that
> gets a similar error, with commandline asn1parse. Or post it(them)
> for someone else to do so. All reliers are supposed to check
> all extensions at least enough to see if they're 'critical',
> but some reliers who don't implement or don't care might not.
>
> If not, see if there's a way to get the cert(s) from the server
> "out of band" (not by doing an SSL handshake), or get a trace of
> the handshake attempt: with commandline s_client -msg (or -debug),
> or with any client and an external tool like tcpdump or wireshark.
> Personally I find wireshark easy to use and its display helpful.
>
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org
>

Reply via email to