GnuTLS error -73: ASN1 parser: Error in TAG.

Wed, 16 Dec 2009 18:11:40 -0800 

I'm getting this from multiple FTP clients that rely on GnuTLS when
connecting to an FTP site using explicit TLS (STARTTLS / AUTH TLS).

I suspect this is an issue with the certificate the site uses, but
would like to confirm and also learn a bit about how to troubleshoot
this sort of thing.

I tried to use gnutls-cli:

  $ gnutls-cli -V --insecure --print-cert -s -p 21 ftp.pp.xw.gm.com
  Resolving 'ftp.pp.xw.gm.com'...
  Connecting to '198.208.1.30:21'...

  - Simple Client Mode:

  - Received[51]: 220 usplgmxfs001 FTP server (TLSFTP 1.4.2) ready.
  AUTH TLS
  - Sent: 9 bytes
  - Received[18]: 234 AUTH TLS OK.
  *** Starting TLS handshake
  *** Fatal error: ASN1 parser: Error in TAG.
  *** Handshake has failed

However it doesn't really give me any specific errors here and I'm not
sure how to force it to dump the certificate in this scenario.  tcpdump
shows me that the cert _is_ being transferred, but, I guess since it's
invalid, gnutls-cli doesn't proceed any further with output.

I got a bit more info out of openssl s_client:

  $ openssl s_client -connect ftp.pp.xw.gm.com:21 -starttls ftp
  CONNECTED(00000003)
  468:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong 
tag:tasn_dec.c:1316:
  468:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 
error:tasn_dec.c:828:
  468:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:748:Field=value, Type=X509_EXTENSION
  468:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:709:
  468:error:0D08403A:asn1 encoding routines:ASN1_TEMPLATE_EX_D2I:nested asn1 
error:tasn_dec.c:578:Field=extensions, Type=X509_CINF
  468:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 
error:tasn_dec.c:748:Field=cert_info, Type=X509
  468:error:1409000D:SSL routines:SSL3_GET_SERVER_CERTIFICATE:ASN1 
lib:s3_clnt.c:972:

So it looks like a few of the listed fields are invalid.. but, again, I
don't know how to actually dump a copy of the cert so I can look at it
more closely.

Anyone have any pointers?  Maybe someone wants to try to connect to the
site above and tell me exactly how this cert is invalid. :)

Thanks,
Ray


_______________________________________________
Help-gnutls mailing list
[email protected]
http://lists.gnu.org/mailman/listinfo/help-gnutls

Reply via email to