What is your platform? When were each of 0.9.8 (unpatched, it appears) and 1.0.0d compiled? What toolchains were used to compile them?
-Kyle H On Sun, Mar 16, 2014 at 8:42 PM, Mithun Kumar <mithunsi...@gmail.com> wrote: > > Hello Dave, > > When client gets server certificate(SQLServer) and tries to validate it we > get "ASN1_F_ASN1_CHECK_TLEN" "ASN1_R_WRONG_TAG" error. > > i could parse the cert successfully and also dump the asn.1. I cant > connect using s_client as it hangs. > > When i add logs to the openssl code i see that Field Name = "sig_alg" has > this problem. > > When KeySize =1024 and signature algorithm = SHA1RSA it connects > successfully where as with KeySize=2048 and signature Algorithm = SHA1RSA > it fails. Also the failing cert works with V1.0.0.d and not with 0.9.8. > Did we fix any bugs around above mentioned problem? Are there any work > around that i can try? > > Not sure how to proceed forward. :( > > -Thanks > > > > > On Sat, Mar 15, 2014 at 1:09 AM, Dave Thompson <dthomp...@prinpay.com>wrote: > >> OpenSSL has long limited RSA key moduli to 16384 bits, far more than >> 2048. >> >> It also has limits on other kinds of keys; if you meant to ask about >> them, be specific. >> >> >> >> Do you really mean 0.9.8 with no suffix? Vanilla or patched? >> >> The oldest and newest 0.9.8 versions I have installed (g and x) handle >> RSA-2048 fine – >> >> even with SHA-256 for signature which your example doesn’t do. (NIST >> rates RSA-2048 >> >> strength equivalent to 112 bits, but SHA-1 drags signature strength down >> to 80 bits >> >> or less, especially for partly-chosen data like certs.) >> >> >> >> Does the error occur with s_client or something else, and if something >> else >> >> can you reproduce it with s_client? What exactly is the error? >> >> >> >> >> >> *From:* owner-openssl-us...@openssl.org [mailto: >> owner-openssl-us...@openssl.org] *On Behalf Of *Mithun Kumar >> *Sent:* Friday, March 14, 2014 11:53 >> *To:* openssl-users@openssl.org >> *Subject:* *** Spam *** Re: Need understanding on certutil output. >> >> >> >> Hello Viktor, >> >> >> >> Thanks for the reply. >> >> >> >> Is there any limitations with Key Size? >> >> >> >> When cert 2 is received by the client from the server. I get a incorrect >> tag length error ? Currently i am using Openssl Version 0.9.8. Same >> cert(Cert2) works correctly for v1.0.0.d >> >> >> >> -Thanks >> >> mithun >> >> >> >> >> >> >> >> >> >> On Fri, Mar 14, 2014 at 8:02 PM, Viktor Dukhovni < >> openssl-us...@dukhovni.org> wrote: >> >> On Fri, Mar 14, 2014 at 06:18:49PM +0530, Mithun Kumar wrote: >> >> > What is the difference between these two formats >> >> The first contains a 1024 bit RSA-SHA1 public key, the second a >> 2048-bit key. >> >> >> > Below is the ASN output using certuil tool. >> > >> >> > *Cert1:-* >> >> > >> > 0618: 30 0d ; SEQUENCE (d Bytes) >> > 061a: | 06 09 ; OBJECT_ID (9 Bytes) >> > 061c: | | 2a 86 48 86 f7 0d 01 01 05 >> > | | ; 1.2.840.113549.1.1.5 sha1RSA >> > 0625: | 05 00 ; NULL (0 Bytes) >> > 0627: 03 81 81 ; BIT_STRING (81 Bytes) >> > >> >> > *Cert2:-* >> >> > >> > 0780: 30 0d ; SEQUENCE (d Bytes) >> > 0782: | 06 09 ; OBJECT_ID (9 Bytes) >> > 0784: | | 2a 86 48 86 f7 0d 01 01 05 >> > | | ; 1.2.840.113549.1.1.5 sha1RSA >> > 078d: | 05 00 ; NULL (0 Bytes) >> > 078f: 03 82 01 01 ; BIT_STRING (101 Bytes) >> > 0793: 00 >> > >> > What does the highlighted values indicate? Any idea? >> >> The signature algorithm name and key length. The byte counts are >> reported in hex by the tool you're using, so 0x101 is 257 decimal, >> and 0x81 is 129 decimal. >> >> -- >> Viktor. >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> >> >> > >
