Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 77225 - OpenSSL bug prevents usage of client certs with 4096 bit
Summary: OpenSSL bug prevents usage of client certs with 4096 bit
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: openssl
Version: 7.3
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2002-11-03 17:25 UTC by Peter Bieringer
Modified: 2007-04-18 16:48 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-03-30 11:30:21 UTC

Attachments (Terms of Use)

Description Peter Bieringer 2002-11-03 17:25:58 UTC
Description of problem:
A bug in the client cert verify code of openssl prevents the use of client certs
with 4096 bits.
This was detected by playing around with an TLS enabled postfix.

Version-Release number of selected component (if applicable):
RHL's openssl-0.9.6b-28, sure others, too.

How reproducible:

Steps to Reproduce:
1.Create a server cert and a client cert with 4096 bit
2.Run openssl server
# openssl s_server -cert cert.pem -key key.pem  -verify ca.cert
3.Run openssl client
$ openssl s_client -cert 4096-cert.pem -key 4096-key.pem -connect host:4433

Actual Results:  Server:
911:error:1408E098:SSL routines:SSL3_GET_MESSAGE:excessive message

4454:error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal
parameter:s3_pkt.c:964:SSL alert number 47
4454:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:226:

Expected Results:  Proper connect.

Additional info:

Credits to Bodo Moeller and Lutz Jaenicke which found the reason of the bug in
the openssl code.

Following patch will fix this issue.

Note1: diff only shows the related part for this issue
Note2: client certs with more than 4096 bit still not supported

--- openssl-engine-0.9.6b/ssl/s3_srvr.c Sun Nov  3 17:36:13 2002
+++ openssl-0.9.6-stable-SNAP-20021102/ssl/s3_srvr.c    Mon Oct 28 17:02:46 2002
@@ -1477,7 +1566,7 @@
-               512, /* 512? */
+               514, /* 514? */

        if (!ok) return((int)n);

Comment 1 Nalin Dahyabhai 2003-02-11 05:07:52 UTC
Adding to compat package openssl096b-0.9.6b-3 and for any future erratum which
includes 0.9.6b.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.