[EMAIL PROTECTED] wrote:
>
> Hi all,
>
> Last week, Steve Henson wrote
> > This may well be a problem with JSSE. JSSE used an invalid signature
> > format for DSA. I had someone check this out with a patch that makes
> > OpenSSL produce a similar invalid format and it then worked.
>
> Would someone please post that patch? Yes, it might be a Sun problem,
> but we only have the source to one of these things!
>
The patch was for the server side only.
It causes errors when OpenSSL clients connect with DSA OpenSSL servers.
It is possible to make the client side tolerate both formats but the
patch doesn't curently do that.
It is not possible to make the server automatically produce the invalid
format because it has no way of knowing the client is expecting it.
In s3_srvr.c currently around line 1119 you have:
if (!EVP_SignFinal(&md_ctx,&(p[2]),
(unsigned int *)&i,pkey))
{
SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
goto err;
}
s2n(i,p);
n+=i+2;
}
try changing this to:
if (!EVP_SignFinal(&md_ctx,p,
(unsigned int *)&i,pkey))
{
SSLerr(SSL_F_SSL3_SEND_SERVER_KEY_EXCHANGE,ERR_LIB_DSA);
goto err;
}
n+=i;
}
Tolerating both formats could be made a 'bug' option which would allow
clients to connect to JSSE.
The real fix however would be to get Sun to fix their broken software.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
