Quantcast

Openssl SAN problem

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Openssl SAN problem

Muehlbauer, Andreas
Openssl SAN problem

Hi,

we are running our own CA with openssl 0.9.8k on linux.
We get a CSR-Request containing SAN attributes from a Windows IIS Server:

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=test1 OU=IT, O=Org, L=Location, S=State, C=DE"
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = FALSE
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
RequestType = CMC
KeyUsage = 0xa0
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1

[RequestAttributes]
SAN="CN=xyz&CN=test3"


When I try to sign the csr-Request with openssl I get the following error message:
Error reading certificate request in xyz.csr
27756:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1316:
27756:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509_REQ_INFO
27756:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:748:Field=req_info, Type=X509_REQ

27756:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib:pem_oth.c:83:


Signing Requests without SAN-attributes works just fine.

Can anybody help?

Thanks
Andi


This communication and any files or attachments transmitted with it may contain information that is copyrighted or confidential and exempt from
disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed.
If you are not the intended recipient, you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify us at once so that we may take the appropriate action and avoid troubling you further.
Thank you for your cooperation. Please contact your local IT staff or email [hidden email] if you need assistance.
 
Wacker Chemie AG, Hanns-Seidel-Platz 4, 81737 München, Germany, Sitz München, Amtsgericht München HRB 159705
Vorstand: Rudolf Staudigl (Vorsitzender), Joachim Rauhut, Wilhelm Sittenthaler, Auguste Willems
Vorsitzender des Aufsichtsrats: Peter-Alexander Wacker

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Openssl SAN problem

Dr. Stephen Henson
On Mon, Jan 18, 2010, Muehlbauer, Andreas wrote:

> Hi,
>
> we are running our own CA with openssl 0.9.8k on linux.
> We get a CSR-Request containing SAN attributes from a Windows IIS
> Server:
>
> [Version]
> Signature="$Windows NT$"
>
> [NewRequest]
> Subject = "CN=test1 OU=IT, O=Org, L=Location, S=State, C=DE"
> KeySpec = 1
> KeyLength = 1024
> Exportable = TRUE
> MachineKeySet = TRUE
> SMIME = FALSE
> PrivateKeyArchive = FALSE
> UserProtected = FALSE
> UseExistingKeySet = FALSE
> RequestType = CMC
> KeyUsage = 0xa0
> ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
> ProviderType = 12
>
> [EnhancedKeyUsageExtension]
> OID=1.3.6.1.5.5.7.3.1
>
> [RequestAttributes]
> SAN="CN=xyz&CN=test3"
>
>
> When I try to sign the csr-Request with openssl I get the following
> error message:
> Error reading certificate request in xyz.csr
> 27756:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:1316:
> 27756:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:380:Type=X509_REQ_INFO
> 27756:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:tasn_dec.c:748:Field=req_info, Type=X509_REQ
> 27756:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> lib:pem_oth.c:83:
>
>
> Signing Requests without SAN-attributes works just fine.
>

Can you post or send me that CSR privately?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Openssl SAN problem

Muehlbauer, Andreas
Hi Steve,

I'm afraid that's not possible out of security reasons.

Regards
Andi

-----Original Message-----
From: [hidden email]
[mailto:[hidden email]] On Behalf Of Dr. Stephen Henson
Sent: Monday, January 18, 2010 5:09 PM
To: [hidden email]
Subject: Re: Openssl SAN problem

On Mon, Jan 18, 2010, Muehlbauer, Andreas wrote:

> Hi,
>
> we are running our own CA with openssl 0.9.8k on linux.
> We get a CSR-Request containing SAN attributes from a Windows IIS
> Server:
>
> [Version]
> Signature="$Windows NT$"
>
> [NewRequest]
> Subject = "CN=test1 OU=IT, O=Org, L=Location, S=State, C=DE"
> KeySpec = 1
> KeyLength = 1024
> Exportable = TRUE
> MachineKeySet = TRUE
> SMIME = FALSE
> PrivateKeyArchive = FALSE
> UserProtected = FALSE
> UseExistingKeySet = FALSE
> RequestType = CMC
> KeyUsage = 0xa0
> ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
> ProviderType = 12
>
> [EnhancedKeyUsageExtension]
> OID=1.3.6.1.5.5.7.3.1
>
> [RequestAttributes]
> SAN="CN=xyz&CN=test3"
>
>
> When I try to sign the csr-Request with openssl I get the following
> error message:
> Error reading certificate request in xyz.csr
> 27756:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:1316:
> 27756:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested
> asn1 error:tasn_dec.c:380:Type=X509_REQ_INFO
> 27756:error:0D08303A:asn1 encoding
> routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1
> error:tasn_dec.c:748:Field=req_info, Type=X509_REQ
> 27756:error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1
> lib:pem_oth.c:83:
>
>
> Signing Requests without SAN-attributes works just fine.
>

Can you post or send me that CSR privately?

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]


This communication and any files or attachments transmitted with it may contain information that is copyrighted or confidential and exempt from
disclosure under applicable law. It is intended solely for the use of the individual or the entity to which it is addressed.
If you are not the intended recipient, you are hereby notified that any use, dissemination, or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify us at once so that we may take the appropriate action and avoid troubling you further.
Thank you for your cooperation. Please contact your local IT staff or email [hidden email] if you need assistance.


Wacker Chemie AG, Hanns-Seidel-Platz 4, 81737 Muenchen, Germany, Sitz Muenchen, Amtsgericht Muenchen HRB 159705
Vorstand: Rudolf Staudigl (Vorsitzender), Joachim Rauhut, Wilhelm Sittenthaler, Auguste Willems                                                
Vorsitzender des Aufsichtsrats: Peter-Alexander Wacker


                   

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Openssl SAN problem

Dr. Stephen Henson
On Tue, Jan 19, 2010, Muehlbauer, Andreas wrote:

>
> I'm afraid that's not possible out of security reasons.
>

I'm not sure what "security reasons" you would have. The CSR only contains the
details you put in it and will appear in a public certificate anyway which
will be err public.

If you don't want the actual contents of the CSR made public can you make one
with test data in it? You can send it to me by private email if you wish.

Without being able to analyse the encoding of the CSR I can't trace this
problem further.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Query about Meinberg NTPV4 4.2.4p7 client compatibility with other thirdparty NTPV4 servers

Emmanuel, Mathews  IN BLR SISL
Hi All,

I am developing an NTPV4 client/server as per NTPV4 standards. We tried our client application with 'Meinberg NTPV4 4.2.4p7' server and found it to be working fine with MD5 hashing. But viz.. is not working (our server application is not working with the 'Meinberg NTPV4 4.2.4p7' client. )

Inference:
'Meinberg NTPV4 4.2.4p7' client sends the ASSOC request and receive the ASSOC response from our server. But the Meinberg client again sends the ASSOC request to our server instead of sending the CERT request.


The logic for generating the MAC is same for our client as well as server. The data in the ASSOC response is also same as that of Meinberg Server's response except the time and KeyID. But not sure why it is not working?

Please let me know if any one of you has any insight about this issue.

Thanks
Mathews

Important notice: This e-mail and any attachment there to contains corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system.
Thank You.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Query about Meinberg NTPV4 4.2.4p7 client compatibility with other thirdparty NTPV4 servers

Victor Duchovni
On Tue, Jan 19, 2010 at 07:43:34PM +0530, Emmanuel, Mathews  IN BLR SISL wrote:

> Inference:
> 'Meinberg NTPV4 4.2.4p7' client sends the ASSOC request and receive the ASSOC response from our server. But the Meinberg client again sends the ASSOC request to our server instead of sending the CERT request.

This is the OpenSSL users list. It seems to me that question belongs on
an NTP developer list. If you have a question about how to construct
message digests, please ask that question, directly.

A common pitfall, which I am guessing you did not fall into, but just
in case: Make sure you don't use strlen() or strcpy(), ... with raw
binary message digests, as these will contain null bytes, with a probability
of 1/256 per byte. The odds of an MD5 digest containing no null bytes are:

        (255/256)^16 ~ 93.9%

For SHA1 these drop to:

        (255/256)^20 ~ 92.5%

perhaps your MD5 test was "lucky", and SHA1 test was unlucky? If you
are actually computing and copying the hash value correctly, the rest
is material for an NTP protocol discussion list.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Query about Meinberg NTPV4 4.2.4p7 client compatibility with other thirdparty NTPV4 servers

Emmanuel, Mathews  IN BLR SISL

Thanks Viktor. I will check the usage of strcpy () and strlen ().
I may have to contact the NTP developer's group for further clarifications.

With best regards,
Mathews Emmanuel

Siemens Information Systems Ltd
CTDC I IA&DT IN
Survey No. 39, 41, 42
Block B, Salarpuria Infozone
Electronic City
Hosur Road, Bangalore - 560 100
Tel.  : + 91 80 6711 1143
Fax. : + 91 80 6711 1600
mailto. : [hidden email]
www.siemens.co.in


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf Of Victor Duchovni
Sent: Tuesday, January 19, 2010 8:37 PM
To: [hidden email]
Subject: Re: Query about Meinberg NTPV4 4.2.4p7 client compatibility with other thirdparty NTPV4 servers

On Tue, Jan 19, 2010 at 07:43:34PM +0530, Emmanuel, Mathews  IN BLR SISL wrote:

> Inference:
> 'Meinberg NTPV4 4.2.4p7' client sends the ASSOC request and receive the ASSOC response from our server. But the Meinberg client again sends the ASSOC request to our server instead of sending the CERT request.

This is the OpenSSL users list. It seems to me that question belongs on
an NTP developer list. If you have a question about how to construct
message digests, please ask that question, directly.

A common pitfall, which I am guessing you did not fall into, but just
in case: Make sure you don't use strlen() or strcpy(), ... with raw
binary message digests, as these will contain null bytes, with a probability
of 1/256 per byte. The odds of an MD5 digest containing no null bytes are:

        (255/256)^16 ~ 93.9%

For SHA1 these drop to:

        (255/256)^20 ~ 92.5%

perhaps your MD5 test was "lucky", and SHA1 test was unlucky? If you
are actually computing and copying the hash value correctly, the rest
is material for an NTP protocol discussion list.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Important notice: This e-mail and any attachment there to contains corporate proprietary information. If you have received it by mistake, please notify us immediately by reply e-mail and delete this e-mail and its attachments from your system.
Thank You.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Loading...