String lengths with openssl req

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

String lengths with openssl req

Etherline

I’m trying to get started with SSL. I’ve installed Win32OpenSSL-v0.9.8a on a Windows 2003 Server box with Apache 2.0.55 running.  I’ve got as far as:

 

openssl req –new –key myserver.key –out myserver.csr  (where myserver.key exists)

 

As soon as I get to the following prompt things get a little bizarre:

 

Country Name (2 letter code) [AU]:

String is too short, it needs to be at least 2 bytes long

Country Name (2 letter code) [AU]:GB

String is too long, it needs to be less than 2 bytes long

Country Name (2 letter code) [AU]:.

2712:error:0D11A09E:asn1 encoding routines:ASN1_mbstring_copy:illegal characters:.\crypto\asn1\a_mbstr.c:162:

 

Can anyone tell me what strings are >= 2 bytes &  also < 2 bytes and how I might get past this?

 

 

Thank you.

 

Ken Campbell

 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: String lengths with openssl req

Dr. Stephen Henson
On Wed, Nov 09, 2005, Ken Campbell wrote:

> I'm trying to get started with SSL. I've installed Win32OpenSSL-v0.9.8a
> on a Windows 2003 Server box with Apache 2.0.55 running.  I've got as
> far as:
>  
> openssl req -new -key myserver.key -out myserver.csr  (where
> myserver.key exists)
>  
> As soon as I get to the following prompt things get a little bizarre:
>  
> Country Name (2 letter code) [AU]:
> String is too short, it needs to be at least 2 bytes long
> Country Name (2 letter code) [AU]:GB
> String is too long, it needs to be less than 2 bytes long
> Country Name (2 letter code) [AU]:.
> 2712:error:0D11A09E:asn1 encoding routines:ASN1_mbstring_copy:illegal
> characters:.\crypto\asn1\a_mbstr.c:162:
>  
> Can anyone tell me what strings are >= 2 bytes &  also < 2 bytes and how
> I might get past this?
>  

I suspect that some additional characters are appearing when OpenSSL uses
fgets() to prompt for the string. Possibly it puts CRLF at the end instead
of just LF.

You could try adding:

if (buf[i-2] == '\r')
        i--;

before the line:

      buf[--i]='\0';

in apps/req.c around line 1567.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: String lengths with openssl req

prakash babu
Hi,
I have relevant question in this regard
I have set the value of  commonName_max  = 5 in openssl.cnf
 
Generate self signed certificate using -subj option
# openssl req -x509 -out cacert.pem -new -keyout cakey.pem -subj /C=INN/ST=TamilNadu/L=CBE/O=test/CN=xxxxxxxxxx -nodes
Successful
 
Here the commonName_max limit is not referred from the openssl.cnf file
 
Generate self signed certificate by asking the user for information
# openssl  req -x509 -out cacert.pem -new -keyout cakey.pem  -nodes
Common Name (eg, YOUR name) []:xxxxxxxxxx
string is too long, it needs to be less than  5 bytes long
Fails
 
Here the commonName_max limit is referred from the openssl.cnf file and an error occurs
 
This seems to be an inconsistent behaviour.
 
I have suggested a probable solution at

Regards,
Prakash

"Dr. Stephen Henson" <[hidden email]> wrote:
On Wed, Nov 09, 2005, Ken Campbell wrote:

> I'm trying to get started with SSL. I've installed Win32OpenSSL-v0.9.8a
> on a Windows 2003 Server box with Apache 2.0.55 running. I've got as
> far as:
>
> openssl req -new -key myserver.key -out myserver.csr (where
> myserver.key exists)
>
> As soon as I get to the following prompt things get a little bizarre:
>
> Country Name (2 letter code) [AU]:
> String is too short, it needs to be at least 2 bytes long
> Country Name (2 letter code) [AU]:GB
> String is too long, it needs to be less than 2 bytes long
> Country Name (2 letter code) [AU]:.
> 2712:error:0D11A09E:asn1 encoding routines:ASN1_mbstring_copy:illegal
> characters:.\crypto\asn1\a_mbstr.c:162:
>
> Can anyone tell me what strings are >= 2 bytes & also < 2 bytes and how
> I might get past this?
>

I suspect that some additional characters are appearing when OpenSSL uses
fgets() to prompt for the string. Possibly it puts CRLF at the end instead
of just LF.

You could try adding:

if (buf[i-2] == '\r')
i--;

before the line:

buf[--i]='\0';

in apps/req.c around line 1567.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Yahoo! FareChase - Search multiple travel sites in one click.