The fix in X509_certificate_type() was correct but was built on old data. These days, export keys can be up to 1024 bits. All of OpenSSL 0.9.7c, except for X509_certificate_type(), reflected these new rulings. Another ticket (#771) pointed this out, and I changed X509_certificate_type() yesterday to check if the key is up to 1024 bits instead of 512, and if so, mark it as an export certificate. That change should resolve your issue as well.
Please try the latest 0.9.7 snapshot and see if your issue has gone away. If not, we need to dig deeper. [EMAIL PROTECTED] - Tue Oct 21 17:19:56 2003]: > After upgrading (from 0.9.7b) to 0.9.7c, SSL handshake fails. Here are > the symptoms: > SSL_connect breaks with SSL_R_MISSING_EXPORT_TMP_RSA_KEY. This happens > because the client plans on using RSA_EXPORT1024_WITH_DES_CBC_SHA, and > the server has a certificate with a 1024-bit RSA key. > In 0.9.7b there was a bug in X509_certificate_type() that caused it to > mark the server's public key with EVP_PKT_EXP (i.e. this is an export > cipher key). The bug was fixed in 0.9.7c, and so I have an EXPORT > cipher, with NON-EXPORT key. > This causes a check in ssl3_check_cert_and_algorithm() to fail because > an EXPORT algorithm is used with NON-EXPORT certificate, and no > temporary EXPORT key. > My question is: Why is this check needed? Is it required in SSL/TLS > specification? It seems strange to me to blame the server for not > generating a temporary 512 bit key (the algorithm specifies explicitly > RSA-1024...). > Anybody encountered this before? Any solution / workaround? > I'm using Windows 2000 Active Directory as the server, and the client is > my application which is linked with OpenLDAP and OpenSSL. It tries to > establish a LDAP over SSL connection on port 636. (Same client works > when linked with 0.9.7b) > Thanks > Tal > -- Richard Levitte [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
