Hosting Provided By

library/2863: [BUG] OpenSSL-bug, sendbug failed (was Fwd: Returned mail: see transcript for details)

From: Thorsten Glaser <tygs(at)netcologne.de>
Date: Tue Aug 06 2002 - 14:20:21 EDT

>Number: 2863
>Category: library
>Synopsis: New OpenSSL does not work (asn.1)
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: net
net
>Environment:

	System      : OpenBSD 3.1
	Architecture: OpenBSD.i386
	Machine     : i386
	Snapshot    : self-compiled

>Description:

These are two bugs, the "main" bug is below sending this bug with sendbug: (skip to --- END SENDBUG FAILURE)

SENDBUG FAILURE FOLLOWS
- Forwarded message ---------- From: Mail Delivery Subsystem <MAILER-DAEMON> Message-ID: <200208061815.g76IFX3G004239@arx.rog.majki.net> To: tg@arx.rog.majki.net Date: Tue, 6 Aug 2002 18:15:11 GMT Subject: Returned mail: see transcript for details

The original message was received at Tue, 6 Aug 2002 18:14:20 GMT from tg@localhost [IPv6:::1]

The following addresses had permanent fatal errors ----- <markus@cvs.openbsd.org> (reason: 553 5.1.8 <tg@arx.rog.majki.net>... Domain of sender address tg@arx.rog.majki.net does not exist) <gnats@openbsd.org> (reason: 553 5.1.8 <tg@arx.rog.majki.net>... Domain of sender address tg@arx.rog.majki.net does not exist)
Transcript of session follows ----- ... while talking to cvs.openbsd.org.:
>How-To-Repeat:
$ openssl ca -name CA1 -in reqs/06.req Using configuration from /etc/ssl/openssl.cnf Enter pass phrase for /etc/ssl/auth/01.key: Error Loading extension section u1_ext 15614:error:0D07209B:asn1 encoding routines:ASN1_get_object:too long:/usr/src/li b/libssl/obj/crypto/../src/crypto/asn1/asn1_lib.c:129: 15614:error:0D093066:asn1 encoding routines:d2i_ASN1_OBJECT:bad object header:/u sr/src/lib/libssl/obj/crypto/../src/crypto/asn1/a_object.c:217: 15614:error:2206706E:X509 V3 routines:V2I_EXT_KU:invalid object identifier:/usr/ src/lib/libssl/obj/crypto/../src/crypto/x509v3/v3_extku.c:135:section:,name:1.3. 6.1.5.5.8.2.2,value: 15614:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:/usr/sr c/lib/libssl/obj/crypto/../src/crypto/x509v3/v3_conf.c:92:name=extendedKeyUsage, value=serverAuth,clientAuth,emailProtection,timeStamping,ipsecEndSystem,ipsecTu nnel,ipsecUser,1.3.6.1.5.5.8.2.2,msSGC,nsSGC,1.3.6.1.4.1.311.10.3.4.1,1.3.6.1.4. 1.311.10.3.5,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.311.10.3.7,1.3.6.1.4.1.311.10.3. 8

Here is the openssl.cnf:
--- bite here
RANDFILE = /dev/arandom

[CA0]

cert_opt		= ca_default
certificate		= /etc/ssl/auth/certs/00.cer
certs			= /etc/ssl/auth/export
copy_extensions		= copy
crl			= /etc/ssl/auth/export/ca.crl
crl_dir			= /etc/ssl/auth/export
database		= /etc/ssl/auth/Tindex
default_crl_days	= 120
default_days		= 1826
default_md		= sha1
dir			= /etc/ssl/auth
email_in_dn		= no
name_opt		= ca_default
new_certs_dir		= /etc/ssl/auth/certs
policy			= ca_policy_match
private_key		= /etc/ssl/auth/00.key
serial			= /etc/ssl/auth/Tserial
x509_extensions		= u0_ext

[CA1]
cert_opt		= ca_default
certificate		= /etc/ssl/auth/certs/01.cer
certs			= /etc/ssl/auth/export
copy_extensions		= copy
crl			= /etc/ssl/auth/export/ca.crl
crl_dir			= /etc/ssl/auth/export
database		= /etc/ssl/auth/Tindex
default_crl_days	= 120
default_days		= 1095
default_md		= sha1
dir			= /etc/ssl/auth
email_in_dn		= no
name_opt		= ca_default
new_certs_dir		= /etc/ssl/auth/certs
policy			= ca_policy_match
private_key		= /etc/ssl/auth/01.key
serial			= /etc/ssl/auth/Tserial
x509_extensions		= u1_ext

[CA2]
cert_opt		= ca_default
certificate		= /etc/ssl/auth/certs/02.cer
certs			= /etc/ssl/auth/export
copy_extensions		= copy
crl			= /etc/ssl/auth/export/ca.crl
crl_dir			= /etc/ssl/auth/export
database		= /etc/ssl/auth/Tindex
default_crl_days	= 120
default_days		= 1095
default_md		= sha1
dir			= /etc/ssl/auth
email_in_dn		= yes
name_opt		= ca_default
new_certs_dir		= /etc/ssl/auth/certs
policy			= ca_policy_match
private_key		= /etc/ssl/auth/02.key
serial			= /etc/ssl/auth/Tserial
x509_extensions		= u2_ext

[CA3]
cert_opt		= ca_default
certificate		= /etc/ssl/auth/certs/03.cer
certs			= /etc/ssl/auth/export
copy_extensions		= copy
crl			= /etc/ssl/auth/export/FFA.crl
Do you need help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related openbsd.org Links
advocacy
announce
bugs
ipv6
misc
ports
ports-changes
security-announce
smp
source-changes
tech
Request more information about Pantek
crl_dir			= /etc/ssl/auth/export
database		= /etc/ssl/auth/Findex
default_days		= 999
default_md		= ripemd160
dir			= /etc/ssl/auth
email_in_dn		= yes
name_opt		= ca_default
new_certs_dir		= /etc/ssl/auth/certs
policy			= ca_policy_loose
private_key		= /etc/ssl/auth/03.key
serial			= /etc/ssl/auth/Fserial
x509_extensions		= u3_ext

[CA-cross]
cert_opt		= ca_default
certificate		= /etc/ssl/auth/certs/00.cer
certs			= /etc/ssl/auth/export
copy_extensions		= copy
crl			= /etc/ssl/auth/export/ca.crl
crl_dir			= /etc/ssl/auth/export
database		= /etc/ssl/auth/Tindex
default_crl_days	= 120
default_days		= 1826
default_md		= ripemd160
dir			= /etc/ssl/auth
email_in_dn		= yes
name_opt		= ca_default
new_certs_dir		= /etc/ssl/auth/certs
policy			= ca_policy_loose
preserve		= yes
private_key		= /etc/ssl/auth/00.key
serial			= /etc/ssl/auth/Tserial

[ca_policy_match]
countryName		= supplied
stateOrProvinceName	= optional
localityName		= supplied
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= supplied

[ca_policy_loose]
countryName		= optional
stateOrProvinceName	= optional
localityName		= supplied
organizationName	= optional
organizationalUnitName	= optional
commonName		= supplied
emailAddress		= optional

[req]
default_bits		= 2048
distinguished_name	= req_distinguished_name
attributes		= req_attributes
string_mask		= MASK:0xFFFFF7E3

[req_distinguished_name]
countryName			= Country Name (2 letter code, or 99 for international)
countryName_min			= 2
countryName_max			= 2
countryName_default		= DE
stateOrProvinceName		= State or Province Name (full name)
localityName			= Locality Name (eg, city)
0.organizationName		= Organization Name (eg, company)
1.organizationName		= Second Organization Name (eg, company)
0.organizationalUnitName	= OrgUnit Top-Level Name (eg, cluster, Ind/HostNam)
Do you need more help? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related openbsd.org Links
advocacy
announce
bugs
ipv6
misc
ports
ports-changes
security-announce
smp
source-changes
tech
Request more information about Pantek
1.organizationalUnitName	= OrgUnit Sub-Level Name (eg, section, service)
commonName			= Common Name (eg, FQHN, full name)
commonName_max			= 64
emailAddress			= Email Address
emailAddress_max		= 64

[req_attributes]
subjectAltName			= Alternate Subject name (DNS: IP: email:)
challengePassword		= A challenge password (return for none)
challengePassword_min		= 4
challengePassword_max		= 20
unstructuredName		= An optional name (return for none)

[ca0pol]
policyIdentifier=2.16.840.1.113733.1.7.1.1 CPS.1="https://www.rog.majki.net/ca/ca0-plcy.htm" userNotice=@capoln

[ca3pol]
policyIdentifier=2.16.840.1.113733.1.7.1.1 CPS.1="https://www.rog.majki.net/ca/ca3-plcy.htm" userNotice=@capoln

[capoln]
explicitText="no liability! http://mitglied.lycos.de/tygs/ca/index.htm" organization="tygs-pCA, Republica Occultae Germanorum" noticeNumbers=1

Can we help you?

[u3_ext]

authorityKeyIdentifier	= keyid
certificatePolicies	= ia5org,@ca3pol
extendedKeyUsage	= serverAuth,clientAuth,codeSigning,emailProtection,timeStamping,msCTLSign,ipsecEndSystem,ipsecTunnel,ipsecUser,msEFS,1.3.6.1.4.1.311.10.3.4.1,1.3.6.1.4.1.311.10.3.5,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.311.10.3.7,1.3.6.1.4.1.311.10.3.8,1.3.6.1.5.5.8.2.2,msCodeInd,msCodeCom,msSGC,nsSGC
keyUsage		= digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyCertSign,cRLSign
nsCaPolicyUrl		= 
https://www.rog.majki.net/ca/ca3-plcy.htm
nsComment		= "FreeForAll-Cert - no liability, cert stamping only - no identity/CA assurance"
subjectKeyIdentifier	= hash

[u2_ext]
authorityKeyIdentifier	= keyid,issuer:always
basicConstraints	= critical,CA:false
crlDistributionPoints	= URI:
https://www.rog.majki.net/ca/ca.crl,URI:http://mitglied.lycos.de/tygs/ca/ca.crl
extendedKeyUsage	= clientAuth,codeSigning,emailProtection,timeStamping,msCodeInd,msEFS,ipsecTunnel,ipsecUser,1.3.6.1.5.5.8.2.2,msSGC,nsSGC,1.3.6.1.4.1.311.10.3.4.1,1.3.6.1.4.1.311.10.3.5,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.311.10.3.7,1.3.6.1.4.1.311.10.3.8
issuerAltName		= URI:altname:/mirabile/
keyUsage		= digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
nsCertType		= client,email,objsign
nsComment		= "With credits to 
http://www.OpenBSD.org/"
subjectKeyIdentifier	= hash

[u1_ext]
authorityKeyIdentifier	= keyid,issuer:always
basicConstraints	= critical,CA:false
Can't find what you're looking for? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related openbsd.org Links
advocacy
announce
bugs
ipv6
misc
ports
ports-changes
security-announce
smp
source-changes
tech
Request more information about Pantek
crlDistributionPoints	= URI:
https://www.rog.majki.net/ca/ca.crl,URI:http://mitglied.lycos.de/tygs/ca/ca.crl
extendedKeyUsage	= serverAuth,clientAuth,emailProtection,timeStamping,ipsecEndSystem,ipsecTunnel,ipsecUser,1.3.6.1.5.5.8.2.2,msSGC,nsSGC,1.3.6.1.4.1.311.10.3.4.1,1.3.6.1.4.1.311.10.3.5,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.311.10.3.7,1.3.6.1.4.1.311.10.3.8
issuerAltName		= URI:altname:/mirabile/
keyUsage		= digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
nsCertType		= client,server,email
nsComment		= "With credits to 
http://www.OpenBSD.org/"
subjectKeyIdentifier	= hash

[u0_ext]
authorityKeyIdentifier	= keyid:always,issuer:always
basicConstraints	= critical,CA:true,pathlen:0
certificatePolicies	= ia5org,@ca0pol
crlDistributionPoints	= URI:
https://www.rog.majki.net/ca/ca.crl,URI:http://mitglied.lycos.de/tygs/ca/ca.crl
extendedKeyUsage	= serverAuth,clientAuth,codeSigning,emailProtection,timeStamping,msCodeInd,msEFS,ipsecEndSystem,ipsecTunnel,ipsecUser,1.3.6.1.5.5.8.2.2,msSGC,nsSGC,1.3.6.1.4.1.311.10.3.4.1,1.3.6.1.4.1.311.10.3.5,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.311.10.3.7,1.3.6.1.4.1.311.10.3.8
keyUsage		= critical,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyCertSign
nsCaPolicyUrl		= 
https://www.rog.majki.net/ca/ca0-plcy.htm
nsCertType		= client,server,email,objsign,sslCA,emailCA,objCA
nsComment		= "With credits to Omi Gertrud and 
http://www.OpenBSD.org/"
subjectAltName		= URI:altname:/mirabile/
subjectKeyIdentifier	= hash

[rootca_ext]
basicConstraints	= critical,CA:true,pathlen:1
crlDistributionPoints	= URI:
https://www.rog.majki.net/ca/ca.crl,URI:http://mitglied.lycos.de/tygs/ca/ca.crl
extendedKeyUsage	= serverAuth,clientAuth,codeSigning,emailProtection,timeStamping,msCTLSign,ipsecEndSystem,ipsecTunnel,ipsecUser,msEFS,1.3.6.1.4.1.311.10.3.4.1,1.3.6.1.4.1.311.10.3.5,1.3.6.1.4.1.311.10.3.6,1.3.6.1.4.1.311.10.3.7,1.3.6.1.4.1.311.10.3.8,1.3.6.1.5.5.8.2.2,msCodeInd,msCodeCom,msSGC,nsSGC
keyUsage		= critical,digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyCertSign,cRLSign
nsCaPolicyUrl		= 
Don't know where to look next? 
In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software:Learn more about Pantek's Technical Support offerings
Place an order for 24/7/365 Technical Support here
Learn more about Pantek, who we are, and what we do
Chat with a Live Operator
Related openbsd.org Links
advocacy
announce
bugs
ipv6
misc
ports
ports-changes
security-announce
smp
source-changes
tech
Request more information about Pantek
http://mitglied.lycos.de/tygs/ca/ca0-plcy.htm
nsCertType		= sslCA,emailCA,objCA
nsComment		= "Nicht machbar ohne Omi Gertrud oder 
http://www.OpenBSD.org/ - vielen Dank!"
subjectAltName		= email:
camgr(at)rog.majki.net,URI:altname:/mirabile/,URI:otherName://tygScaowlOmi,email:
nc-glaserth(at)netcologne.de
subjectKeyIdentifier	= hash

--- bite here

>Fix:

Using the old OpenSSL executable and libcrypto.so from the 3.1 release THIS IS ONLY A WORKAROUND! KIDS; DONT TRY THIS AT HOME! [demime 0.98d removed an attachment of type application/x-pkcs7-signature which had a name of smime.p7s]

>Release-Note:
>>> MAIL From:<tg@arx.rog.majki.net> SIZE=10410 <<< 553 5.1.8 <tg@arx.rog.majki.net>... Domain of sender address tg@arx.rog.majki.net does not exist 501 5.6.0 Data format error
... while talking to mr200.netcologne.de.:

 >>> MAIL From: SIZE=10410
 <<< 451 ... Sender domain must resolve
 ... while talking to mailproxy2.netcologne.de.:

>>> DATA

 <<< 450 : Sender address rejected: Domain not found
 ... Deferred: 450 : Sender address rejected: Domain not found
 <<< 554 Error: no valid recipients

... while talking to mailproxy1.netcologne.de.: >>> DATA

 <<< 450 : Sender address rejected: Domain not found
 ... Deferred: 450 : Sender address rejected: Domain not found
 <<< 554 Error: no valid recipients
 ... while talking to openbsd.cs.colorado.edu.:

>>> MAIL From:<tg@arx.rog.majki.net> SIZE=10410 <<< 553 5.1.8 <tg@arx.rog.majki.net>... Domain of sender address tg@arx.rog.majki.net does not exist 501 5.6.0 Data format error

...

Reporting-MTA: dns; arx.rog.majki.net
Received-From-MTA: DNS; localhost
Arrival-Date: Tue, 6 Aug 2002 18:14:20 GMT

Final-Recipient: RFC822; markus@cvs.openbsd.org Action: failed
Status: 5.1.8
Diagnostic-Code: SMTP; 553 5.1.8 <tg@arx.rog.majki.net>... Domain of sender address tg@arx.rog.majki.net does not exist Last-Attempt-Date: Tue, 6 Aug 2002 18:14:29 GMT

Final-Recipient: RFC822; gnats@openbsd.org Action: failed
Status: 5.1.8
Diagnostic-Code: SMTP; 553 5.1.8 <tg@arx.rog.majki.net>... Domain of sender address tg@arx.rog.majki.net does not exist Last-Attempt-Date: Tue, 6 Aug 2002 18:15:11 GMT

...

Confused? Frustrated?

Return-Path: <tg@arx.rog.majki.net>
Received: from arx.rog.majki.net (tg@localhost [IPv6:::1])

 	by arx.rog.majki.net (8.12.5/8.12.5) with ESMTP id g76IEc3H007963
 	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO);
 	Tue, 6 Aug 2002 18:14:20 GMT
 Received: (from tg@localhost)
 	by arx.rog.majki.net (8.12.5/8.12.5/Submit) id g76IEZGt006368;
 	Tue, 6 Aug 2002 18:14:14 GMT

Date: Tue, 6 Aug 2002 18:14:14 GMT
Message-Id: <200208061814.g76IEZGt006368@arx.rog.majki.net> To: gnats@openbsd.org
Subject:
From: tygs@netcologne.de
Cc: markus@cvs.openbsd.org, tygs@netcologne.de Reply-To: tygs@netcologne.de
X-sendbug-version: 3.97

END SENDBUG FAILURE

The new openssl asn.1 parser fails when reading my openssl configuration file while trying to use the "ca" command of the openssl executable. Received on Thu Nov 7 15:38:40 2002

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 13:29:36 EDT