ASN.1 Encoding errors

ASN.1 Encoding errors

am 08.10.2003 12:56:54 von Jeffrey Burgoyne

Hi;

I just upgraded an Apache server 1.3.26 with OpenSSL 0.9.7c and mod_ssl
2.8.9 from Openssl 0.9.6d.

I now get the following errors :

Server www.eac-trousse.ic.gc.ca:443 (RSA)
Enter pass phrase:

Server biotech.gc.ca:443 (RSA)
213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
tag:a_set.c:179:
213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:946:
213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:304:Type=RSA
213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
lib:d2i_pr.c:96:
Enter pass phrase:

Server strategis.gc.ca:443 (RSA)
213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
tag:a_set.c:179:
213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:946:
213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:304:Type=RSA
213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
lib:d2i_pr.c:96:
Enter pass phrase:

Server production.paymentnotification.ic.gc.ca:443 (RSA)
Enter pass phrase:

Server ip-pi.gc.ca:443 (RSA)
Enter pass phrase:

Server cbac-cccb.ca:443 (RSA)
Enter pass phrase:

Server corporations.ic.gc.ca:443 (RSA)
Enter pass phrase:

Server corporationscanada.ic.gc.ca:443 (RSA)
213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
tag:a_set.c:179:
213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
tag:tasn_dec.c:946:
213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
error:tasn_dec.c:304:Type=RSA
213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
lib:d2i_pr.c:96:
Enter pass phrase:

Ok: Pass Phrase Dialog successful.
/usr/local/apache/bin/apachectl startssl: httpd started
strategis>



The virtual hosts with the error still seem to work fine.

Ideas?

Jeffrey Burgoyne
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: ASN.1 Encoding errors

am 08.10.2003 13:03:33 von Jeffrey Burgoyne

Hmm, just noticed something a bit more suspicious. The error does not come
up every time for the same certs. It sometimes does not seem to come up at
all.

Jeff

On Wed, 8 Oct 2003, Jeffrey Burgoyne wrote:

> Hi;
>
> I just upgraded an Apache server 1.3.26 with OpenSSL 0.9.7c and mod_ssl
> 2.8.9 from Openssl 0.9.6d.
>
> I now get the following errors :
>
> Server www.eac-trousse.ic.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server biotech.gc.ca:443 (RSA)
> 213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> tag:a_set.c:179:
> 213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:946:
> 213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:304:Type=RSA
> 213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> lib:d2i_pr.c:96:
> Enter pass phrase:
>
> Server strategis.gc.ca:443 (RSA)
> 213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> tag:a_set.c:179:
> 213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:946:
> 213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:304:Type=RSA
> 213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> lib:d2i_pr.c:96:
> Enter pass phrase:
>
> Server production.paymentnotification.ic.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server ip-pi.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server cbac-cccb.ca:443 (RSA)
> Enter pass phrase:
>
> Server corporations.ic.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server corporationscanada.ic.gc.ca:443 (RSA)
> 213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> tag:a_set.c:179:
> 213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:946:
> 213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:304:Type=RSA
> 213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> lib:d2i_pr.c:96:
> Enter pass phrase:
>
> Ok: Pass Phrase Dialog successful.
> /usr/local/apache/bin/apachectl startssl: httpd started
> strategis>
>
>
>
> The virtual hosts with the error still seem to work fine.
>
> Ideas?
>
> Jeffrey Burgoyne
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: ASN.1 Encoding errors

am 08.10.2003 13:14:00 von Dave Paris

Wonder if this has anything to do with the recent "repairs" to the ASN.1
subsystem in OpenSSL. http://www.openssl.org/news/secadv_20030930.txt

-dsp

-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org]On Behalf Of Jeffrey Burgoyne
Sent: Wednesday, October 08, 2003 7:04 AM
To: modssl-users@modssl.org
Subject: Re: ASN.1 Encoding errors



Hmm, just noticed something a bit more suspicious. The error does not come
up every time for the same certs. It sometimes does not seem to come up at
all.

Jeff

On Wed, 8 Oct 2003, Jeffrey Burgoyne wrote:

> Hi;
>
> I just upgraded an Apache server 1.3.26 with OpenSSL 0.9.7c and mod_ssl
> 2.8.9 from Openssl 0.9.6d.
>
> I now get the following errors :
>
> Server www.eac-trousse.ic.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server biotech.gc.ca:443 (RSA)
> 213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> tag:a_set.c:179:
> 213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:946:
> 213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:304:Type=RSA
> 213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> lib:d2i_pr.c:96:
> Enter pass phrase:
>
> Server strategis.gc.ca:443 (RSA)
> 213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> tag:a_set.c:179:
> 213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:946:
> 213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:304:Type=RSA
> 213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> lib:d2i_pr.c:96:
> Enter pass phrase:
>
> Server production.paymentnotification.ic.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server ip-pi.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server cbac-cccb.ca:443 (RSA)
> Enter pass phrase:
>
> Server corporations.ic.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server corporationscanada.ic.gc.ca:443 (RSA)
> 213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> tag:a_set.c:179:
> 213659:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong
> tag:tasn_dec.c:946:
> 213659:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1
> error:tasn_dec.c:304:Type=RSA
> 213659:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1
> lib:d2i_pr.c:96:
> Enter pass phrase:
>
> Ok: Pass Phrase Dialog successful.
> /usr/local/apache/bin/apachectl startssl: httpd started
> strategis>
>
>
>
> The virtual hosts with the error still seem to work fine.
>
> Ideas?
>
> Jeffrey Burgoyne
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: ASN.1 Encoding errors

am 08.10.2003 13:48:42 von Joe Orton

On Wed, Oct 08, 2003 at 06:56:54AM -0400, Jeffrey Burgoyne wrote:
> Hi;
>
> I just upgraded an Apache server 1.3.26 with OpenSSL 0.9.7c and mod_ssl
> 2.8.9 from Openssl 0.9.6d.
>
> I now get the following errors :
>
> Server www.eac-trousse.ic.gc.ca:443 (RSA)
> Enter pass phrase:
>
> Server biotech.gc.ca:443 (RSA)
> 213659:error:0D094068:asn1 encoding routines:d2i_ASN1_SET:bad
> tag:a_set.c:179:
....

Yes, we've noticed this too. A reproduction case is with three keys all
with different passphrases: if you enter the correct pass phrase at each
prompt, you get the error after the third prompt.

Here is a workaround for mod_ssl 2.8.x:

--- ssl_engine_pphrase.c~ 2002-02-23 18:45:45.000000000 +0000
+++ ssl_engine_pphrase.c 2003-10-08 12:45:35.000000000 +0100
@@ -237,6 +237,9 @@
ssl_die();
}
cpPassPhraseCur = NULL;
+
+ ERR_clear_error();
+
bReadable = ((pPrivateKey = SSL_read_PrivateKey(fp, NULL,
ssl_pphrase_Handle_CB)) != NULL ? TRUE : FALSE);
ap_pfclose(p, fp);


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org