Date: Mon, 22 May 2000 19:05:46 +0200 From: Milon Papezik <milon.papezik@oskarmobil.cz> To: freebsd-ports@freebsd.org, freebsd-hackers@oskarmobil.cz Cc: Kris Kennaway <kris@freebsd.org> Subject: Re: ASN.1 parsing in OpenSSL (Apache+mod_ssl problem) Message-ID: <392968EA.3BEAF301@oskarmobil.cz> References: <Pine.BSF.4.21.0005180336110.21857-100000@freefall.freebsd.org> <39245A7B.B7D75622@oskarmobil.cz>
next in thread | previous in thread | raw e-mail | index | archive | help
Kris did not responded yet,
so I will try the lists again.
Please could someone give me a clue?
Thanks in advance,
Milon
--
milon.papezik@oskarmobil.cz
Milon Papezik wrote:
>
> Kris Kennaway wrote:
> >
> > On Thu, 18 May 2000, Milon Papezik wrote:
> >
> > > When I try to connect with Netscape 4.x or Exploder 5 to Apache over
> > > SSL I get the following errors in apache_ssl_engine.log:
> >
> > I need to compare the contents of a working and non-working certificate -
> > my suspicion is that theres something off about the ASN.1 encoding of the
> > certificate that causes netscape to barf (IE will apparently still read it
> > fine, or it can at least for some people's certs).
> >
> > Install the converters/dumpasn1 port, and run the following on your
> > certificate.pem file:
> >
> > openssl asn1parse -in cert.pem -out cert.der
> > dumpasn1 cert.der > cert.out
> >
> > and mail me cert.out. Do this for both certificates if you have a working
> > and non-working one.
>
> Hi Kris,
>
> thanks for the fast response.
> Please let me clarify my situation first:
>
> I don't have working and non-working certificate.
>
> I have two certifikates (testing and production),
> both working with Apache built on FreeBSD 3.4R
> from 3.4R "ports" skeleton issued by Verisign.
> Also I have the SnakeOil testing cerificate built
> with 'make certificate' working on this 3.4 machine.
>
> The problem is that non of these certificates work
> with Apache built on FreeBSD 4.0R from 4.0R ports.
>
> Both Apache binaries were built/linked by simply typeing
> make in ports directory. Both use OpenSSL library v 0.9.4
> (on 3.4 machine installed from ports,
> on 4.0 machine included in non-us crypto libraries).
>
> Because it is a corporate website, I will send you
> requested output from the SnakeOil certificate,
> as I believe that the Verisign certificate is OK
> and symptoms are exactly the same.
>
> I can ask for approval of sending you output of our
> production cerifikate later as it have to be send
> at initial SSL handshake anyway.
>
> I enclose 2 outputs:
> $ openssl asn1parse -in server.crt -out server.der ; dumpasn1 server.der >server.out.1
> $ openssl x509 -noout -text -in server.crt >server.out.2
>
> Thans in advance,
> Milon
> --
> milon.papezik@oskarmobil.cz
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> 0 30 803: SEQUENCE {
> 4 30 652: SEQUENCE {
> 8 A0 3: [0] {
> 10 02 1: INTEGER 2
> : }
> 13 02 1: INTEGER 4
> 16 30 13: SEQUENCE {
> 18 06 9: OBJECT IDENTIFIER
> : md5withRSAEncryption (1 2 840 113549 1 1 4)
> 29 05 0: NULL
> : }
> 31 30 169: SEQUENCE {
> 34 31 11: SET {
> 36 30 9: SEQUENCE {
> 38 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
> 43 13 2: PrintableString 'XY'
> : }
> : }
> 47 31 21: SET {
> 49 30 19: SEQUENCE {
> 51 06 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
> 56 13 12: PrintableString 'Snake Desert'
> : }
> : }
> 70 31 19: SET {
> 72 30 17: SEQUENCE {
> 74 06 3: OBJECT IDENTIFIER localityName (2 5 4 7)
> 79 13 10: PrintableString 'Snake Town'
> : }
> : }
> 91 31 23: SET {
> 93 30 21: SEQUENCE {
> 95 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
> 100 13 14: PrintableString 'Snake Oil, Ltd'
> : }
> : }
> 116 31 30: SET {
> 118 30 28: SEQUENCE {
> 120 06 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
> 125 13 21: PrintableString 'Certificate Authority'
> : }
> : }
> 148 31 21: SET {
> 150 30 19: SEQUENCE {
> 152 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
> 157 13 12: PrintableString 'Snake Oil CA'
> : }
> : }
> 171 31 30: SET {
> 173 30 28: SEQUENCE {
> 175 06 9: OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
> 186 16 15: IA5String 'ca@snakeoil.dom'
> : }
> : }
> : }
> 203 30 30: SEQUENCE {
> 205 17 13: UTCTime '000518085517Z'
> 220 17 13: UTCTime '010518085517Z'
> : }
> 235 30 143: SEQUENCE {
> 238 31 11: SET {
> 240 30 9: SEQUENCE {
> 242 06 3: OBJECT IDENTIFIER countryName (2 5 4 6)
> 247 13 2: PrintableString 'CZ'
> : }
> : }
> 251 31 10: SET {
> 253 30 8: SEQUENCE {
> 255 06 3: OBJECT IDENTIFIER stateOrProvinceName (2 5 4 8)
> 260 13 1: PrintableString ' '
> : }
> : }
> 263 31 14: SET {
> 265 30 12: SEQUENCE {
> 267 06 3: OBJECT IDENTIFIER localityName (2 5 4 7)
> 272 13 5: PrintableString 'Praha'
> : }
> : }
> 279 31 16: SET {
> 281 30 14: SEQUENCE {
> 283 06 3: OBJECT IDENTIFIER organizationName (2 5 4 10)
> 288 13 7: PrintableString 'CM a.s.'
> : }
> : }
> 297 31 14: SET {
> 299 30 12: SEQUENCE {
> 301 06 3: OBJECT IDENTIFIER organizationalUnitName (2 5 4 11)
> 306 13 5: PrintableString 'IS/IT'
> : }
> : }
> 313 31 26: SET {
> 315 30 24: SEQUENCE {
> 317 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
> 322 13 17: PrintableString 'www.oskarmobil.cz'
> : }
> : }
> 341 31 38: SET {
> 343 30 36: SEQUENCE {
> 345 06 9: OBJECT IDENTIFIER emailAddress (1 2 840 113549 1 9 1)
> 356 16 23: IA5String 'webmaster@oskarmobil.cz'
> : }
> : }
> : }
> 381 30 159: SEQUENCE {
> 384 30 13: SEQUENCE {
> 386 06 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1)
> 397 05 0: NULL
> : }
> 399 03 141: BIT STRING 0 unused bits
> : 30 81 89 02 81 81 00 B9 11 1E 6A 6D AF 7C EB C5
> : 9F EE D8 90 DD 17 2E 62 77 C2 7B F7 1D CD F8 9A
> : D7 2F B2 DA D5 85 F4 BE 2D 5C 56 9E F1 79 66 17
> : 36 00 8F 34 E2 00 67 E1 8E B5 25 18 10 93 B5 94
> : 63 7C 7D 79 F7 A8 BF 32 D7 18 11 7F 1E 43 34 B2
> : 98 04 91 20 82 2B 99 7D CC 98 8E 80 C3 11 79 B6
> : B7 4A D7 98 1B 18 21 51 FE 4F BA A8 65 62 C0 04
> : 73 DE DF E9 14 AD C6 78 F2 E0 8A 55 E7 42 C7 9E
> : [ Another 12 bytes skipped ]
> : }
> 543 A3 115: [3] {
> 545 30 113: SEQUENCE {
> 547 30 34: SEQUENCE {
> 549 06 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17)
> 554 04 27: OCTET STRING
> : 30 19 81 17 77 65 62 6D 61 73 74 65 72 40 6F 73
> : 6B 61 72 6D 6F 62 69 6C 2E 63 7A
> : }
> 583 30 56: SEQUENCE {
> 585 06 9: OBJECT IDENTIFIER
> : netscape-comment (2 16 840 1 113730 1 13)
> 596 04 43: OCTET STRING
> : 16 29 6D 6F 64 5F 73 73 6C 20 67 65 6E 65 72 61
> : 74 65 64 20 74 65 73 74 20 73 65 72 76 65 72 20
> : 63 65 72 74 69 66 69 63 61 74 65
> : }
> 641 30 17: SEQUENCE {
> 643 06 9: OBJECT IDENTIFIER
> : netscape-cert-type (2 16 840 1 113730 1 1)
> 654 04 4: OCTET STRING
> : 03 02 06 40
> : }
> : }
> : }
> : }
> 660 30 13: SEQUENCE {
> 662 06 9: OBJECT IDENTIFIER md5withRSAEncryption (1 2 840 113549 1 1 4)
> 673 05 0: NULL
> : }
> 675 03 129: BIT STRING 0 unused bits
> : 55 3E 31 60 CF EA E1 E5 21 4C D1 E7 39 F2 39 BC
> : C4 2A 55 E9 9D CB D9 1D 3C 52 7A 1B 83 4F 3A 44
> : 8D 54 30 EF 34 10 E2 0D 9B 3C 46 50 DA EA 8D 69
> : 06 39 91 10 B1 2E 40 C0 45 54 D9 B8 19 2A D7 99
> : 4F 8A 34 2D 7C 69 C4 49 32 C5 1D 7F DC EA 56 F2
> : 93 10 3D C0 6E CB 49 2E 2C 26 F3 2A B8 05 8C 7C
> : 51 ED 91 91 A3 D7 72 3F A0 5F EA 20 57 87 1F 42
> : C0 D1 DC B8 29 1C 73 4A 41 69 2E 6F 68 E8 A5 4C
> : }
>
> 0 warnings, 0 errors.
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
> Certificate:
> Data:
> Version: 3 (0x2)
> Serial Number: 4 (0x4)
> Signature Algorithm: md5WithRSAEncryption
> Issuer: C=XY, ST=Snake Desert, L=Snake Town, O=Snake Oil, Ltd, OU=Certificate Authority, CN=Snake Oil CA/Email=ca@snakeoil.dom
> Validity
> Not Before: May 18 08:55:17 2000 GMT
> Not After : May 18 08:55:17 2001 GMT
> Subject: C=CZ, ST= , L=Praha, O=CM a.s., OU=IS/IT, CN=www.oskarmobil.cz/Email=webmaster@oskarmobil.cz
> Subject Public Key Info:
> Public Key Algorithm: rsaEncryption
> RSA Public Key: (1024 bit)
> Modulus (1024 bit):
> 00:b9:11:1e:6a:6d:af:7c:eb:c5:9f:ee:d8:90:dd:
> 17:2e:62:77:c2:7b:f7:1d:cd:f8:9a:d7:2f:b2:da:
> d5:85:f4:be:2d:5c:56:9e:f1:79:66:17:36:00:8f:
> 34:e2:00:67:e1:8e:b5:25:18:10:93:b5:94:63:7c:
> 7d:79:f7:a8:bf:32:d7:18:11:7f:1e:43:34:b2:98:
> 04:91:20:82:2b:99:7d:cc:98:8e:80:c3:11:79:b6:
> b7:4a:d7:98:1b:18:21:51:fe:4f:ba:a8:65:62:c0:
> 04:73:de:df:e9:14:ad:c6:78:f2:e0:8a:55:e7:42:
> c7:9e:a9:2f:a6:c4:85:da:f3
> Exponent: 65537 (0x10001)
> X509v3 extensions:
> X509v3 Subject Alternative Name:
> email:webmaster@oskarmobil.cz
> Netscape Comment:
> mod_ssl generated test server certificate
> Netscape Cert Type:
> SSL Server
> Signature Algorithm: md5WithRSAEncryption
> 55:3e:31:60:cf:ea:e1:e5:21:4c:d1:e7:39:f2:39:bc:c4:2a:
> 55:e9:9d:cb:d9:1d:3c:52:7a:1b:83:4f:3a:44:8d:54:30:ef:
> 34:10:e2:0d:9b:3c:46:50:da:ea:8d:69:06:39:91:10:b1:2e:
> 40:c0:45:54:d9:b8:19:2a:d7:99:4f:8a:34:2d:7c:69:c4:49:
> 32:c5:1d:7f:dc:ea:56:f2:93:10:3d:c0:6e:cb:49:2e:2c:26:
> f3:2a:b8:05:8c:7c:51:ed:91:91:a3:d7:72:3f:a0:5f:ea:20:
> 57:87:1f:42:c0:d1:dc:b8:29:1c:73:4a:41:69:2e:6f:68:e8:
> a5:4c
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?392968EA.3BEAF301>