David Marwood wrote:
>
> I looked at the latest "[STATUS] OpenSSL (Sun 18-Jul-1999)" but didn't
> see this mentioned.
>
> x509.c says:
[stuff omitted]
> That makes sense. However, the x509 app saves DSA keys if and only if
> the parent and child DSA params are the *same*. I use gendh to make
> DH params, then dsaparam to make DSA params, then use req and x509 to
> sign a certificate. If I use different DH and DSA params file for the
> CA certificate and the cert request, the resulting cert does not have
> DSA parameters (as displayed by x509 -text). Using these certs with
> s_server and s_client, the s_client app gives the error:
> 20598:error:140900EF:SSL routines:SSL3_GET_SERVER_CERTIFICATE:unable to find
>public key parameters:s3_clnt.c:783:
>
> If I use the same DH and DSA param files for both the CA cert and the
> request then s_client connects perfectly.
>
> I believe the test against EVP_PKEY_cmp_parameters() in the above code
> is exactly opposite. Looking at the implementation, it seems that
> function returns 0 if the two parameters are different.
>
> If I'm wrong then I really don't understand the reason for the
> s_client error. Can someone enlighten me?
>
You are correct. In fact it is now standard practice to never omit DSA
parameters so thats what OpenSSL does now.
This was fixed in the development version a while ago and it is in the
latest snapshot.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
