Hello Dave, When client gets server certificate(SQLServer) and tries to validate it we get "ASN1_F_ASN1_CHECK_TLEN" "ASN1_R_WRONG_TAG" error.
i could parse the cert successfully and also dump the asn.1. I cant connect using s_client as it hangs. When i add logs to the openssl code i see that Field Name = "sig_alg" has this problem. When KeySize =1024 and signature algorithm = SHA1RSA it connects successfully where as with KeySize=2048 and signature Algorithm = SHA1RSA it fails. Also the failing cert works with V1.0.0.d and not with 0.9.8. Did we fix any bugs around above mentioned problem? Are there any work around that i can try? Not sure how to proceed forward. :( -Thanks On Sat, Mar 15, 2014 at 1:09 AM, Dave Thompson <dthomp...@prinpay.com>wrote: > OpenSSL has long limited RSA key moduli to 16384 bits, far more than 2048. > > It also has limits on other kinds of keys; if you meant to ask about them, > be specific. > > > > Do you really mean 0.9.8 with no suffix? Vanilla or patched? > > The oldest and newest 0.9.8 versions I have installed (g and x) handle > RSA-2048 fine - > > even with SHA-256 for signature which your example doesn't do. (NIST rates > RSA-2048 > > strength equivalent to 112 bits, but SHA-1 drags signature strength down > to 80 bits > > or less, especially for partly-chosen data like certs.) > > > > Does the error occur with s_client or something else, and if something > else > > can you reproduce it with s_client? What exactly is the error? > > > > > > *From:* owner-openssl-us...@openssl.org [mailto: > owner-openssl-us...@openssl.org] *On Behalf Of *Mithun Kumar > *Sent:* Friday, March 14, 2014 11:53 > *To:* openssl-users@openssl.org > *Subject:* *** Spam *** Re: Need understanding on certutil output. > > > > Hello Viktor, > > > > Thanks for the reply. > > > > Is there any limitations with Key Size? > > > > When cert 2 is received by the client from the server. I get a incorrect > tag length error ? Currently i am using Openssl Version 0.9.8. Same > cert(Cert2) works correctly for v1.0.0.d > > > > -Thanks > > mithun > > > > > > > > > > On Fri, Mar 14, 2014 at 8:02 PM, Viktor Dukhovni < > openssl-us...@dukhovni.org> wrote: > > On Fri, Mar 14, 2014 at 06:18:49PM +0530, Mithun Kumar wrote: > > > What is the difference between these two formats > > The first contains a 1024 bit RSA-SHA1 public key, the second a > 2048-bit key. > > > > Below is the ASN output using certuil tool. > > > > > *Cert1:-* > > > > > 0618: 30 0d ; SEQUENCE (d Bytes) > > 061a: | 06 09 ; OBJECT_ID (9 Bytes) > > 061c: | | 2a 86 48 86 f7 0d 01 01 05 > > | | ; 1.2.840.113549.1.1.5 sha1RSA > > 0625: | 05 00 ; NULL (0 Bytes) > > 0627: 03 81 81 ; BIT_STRING (81 Bytes) > > > > > *Cert2:-* > > > > > 0780: 30 0d ; SEQUENCE (d Bytes) > > 0782: | 06 09 ; OBJECT_ID (9 Bytes) > > 0784: | | 2a 86 48 86 f7 0d 01 01 05 > > | | ; 1.2.840.113549.1.1.5 sha1RSA > > 078d: | 05 00 ; NULL (0 Bytes) > > 078f: 03 82 01 01 ; BIT_STRING (101 Bytes) > > 0793: 00 > > > > What does the highlighted values indicate? Any idea? > > The signature algorithm name and key length. The byte counts are > reported in hex by the tool you're using, so 0x101 is 257 decimal, > and 0x81 is 129 decimal. > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > >
