On Tue, 2008-12-23 at 07:59 -0500, John A. Sullivan III wrote: > On Tue, 2008-12-23 at 07:55 -0500, John A. Sullivan III wrote: > > Hello, all. We're in a bit of a panic here this morning. After working > > through various issues, we were delighted to be ready to move OpenCA > > 1.0.2 into production. However, in this morning's testing, we found the > > PKCS#12 packages we issued for use with OpenVPN failing. > > > > The error from OpenVPN is: > > TLS_ERROR: BIO read tls_read_plaintext error: error:04067069:rsa > > routines:RSA_EAY_PUBLIC_DECRYPT:pkcs1 padding too short > > > > >From the little we've been able to find, this could be a key length > > error. In version 0.9.2, we simply told it to use a key length of 1024. > > In 1.0.2, I gather that is now a function of the combination of LOA and > > key strength. We chose Low and Base assuming that gave us a 1024 key. > > When we check the key, it claims to be 1024. The 0.9.2 packages are > > working just fine. Any idea what changed and how to fix it? Thanks - > > John > I should mention we are using server side key generation - John We've tried using low and weak (512 bits), medium and base (1024 bits). All failed the same way. We also tried removing the subjalt entries.
In 0.9.2, we typically chose a Basic Request. This option is no longer available in 1.0.2 so we have been choosing Browser Certificate Request and changing it to server side key generation. Would this cause a problem like this? Thanks - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsulli...@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society ------------------------------------------------------------------------------ _______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
