Skip to content

GitLab

Closed
Created by iordan iordanov@iiordanov

GNUTLS_E_ASN1_DER_ERROR (ASN1 parser: Error in DER parsing) with gnutls v3.4.x and v3.5.x but not v3.3.x

Description of problem:

I get a GNUTLS_E_ASN1_DER_ERROR (ASN1 parser: Error in DER parsing) with gnutls v3.4.x and v3.5.x when I connect to my oVirt 3.4 server (virtualization platform).

The error is not reproducible with gnutls v3.3.x. This is causing me to hold back upgrading gnutls in my software package (aSPICE remote desktop client for Android) as I am afraid of impacting my users.

Similar issue discussed here, but could be a different root cause: https://lists.gnupg.org/pipermail/gnutls-devel/2016-February/007874.html

Reported to debian: https://bugs.debian.org/862335

Version of gnutls used:

The error is reproducible with v3.4.9, v3.4.10, and v3.5.10 on both arm and x86_64 architectures.

Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

For x86_64, Ubuntu, for arm, built from source.

How reproducible:

100% with my oVirt 3.4 server, not at all with my oVirt 4.1 server.

Steps to Reproduce:

gnutls-cli -V ovirt.my.domain.com

Actual results:

$ gnutls-cli -V ovirt.my.domain.com Processed 173 CA certificate(s). Resolving 'ovirt.my.domain.com'... Connecting to '192.168.12.40:443'... *** Fatal error: ASN1 parser: Error in DER parsing. *** Handshake has failed GnuTLS error: ASN1 parser: Error in DER parsing.

Expected results:

$ gnutls-cli -V ovirt.my.domain.com Resolving 'ovirt.my.domain.com'... Connecting to '192.168.12.40:443'...

  • Ephemeral Diffie-Hellman parameters

  • Using prime: 2048 bits

  • Secret key: 2046 bits

  • Peer's public key: 2048 bits

  • Certificate type: X.509

  • Got a certificate list of 2 certificates.

  • Certificate[0] info:

  • X.509 Certificate Information: Version: 3 Serial Number (hex): 1002 Issuer: C=US,O=my.domain.com,CN=ovirt.my.domain.com.71975 Validity: Not Before: Mon Jun 16 22:11:10 UTC 2014 Not After: Wed May 22 22:11:10 UTC 2019 Subject: C=US,O=my.domain.com,CN=ovirt.my.domain.com Subject Public Key Algorithm: RSA Certificate Security Level: Low Modulus (bits 2048): 00:d3:cc:ee:0a:54:28:b0:09:39:95:71:97:fd:6b:dc 7f:fa:10:6a:4f:7c:ba:2f:7b:dc:91:8a:67:d2:c5:29 cb:70:5a:a4:ac:dd:81:db:6e:49:07:39:b4:1b:9e:19 9b:a5:62:09:4e:2e:f9:8e:72:f6:b1:ff:59:07:87:ad 44:2a:b6:56:dd:69:fb:98:05:29:6b:76:38:76:c0:fe 0d:b8:92:0c:77:9e:fd:8c:03:34:f4:19:2f:5e:08:74 13:36:70:e8:a0:75:fe:23:13:54:a7:80:63:c4:47:9d 93:32:43:ed:08:f0:7a:52:75:ea:88:9f:90:e7:fa:6c 12:33:86:4f:b3:fd:ab:e8:66:e5:95:16:90:78:33:8f 0f:d0:54:7a:5d:73:16:7f:45:3e:14:e1:97:81:35:7c 14:00:af:e2:dc:b5:31:7a:f3:5d:56:e8:d0:3f:ed:61 52:8d:f4:1e:f4:49:e2:5c:62:d6:01:86:64:92:a0:e0 b2:f0:4f:d0:75:4e:2d:78:10:b5:e3:41:c6:6f:2a:17 21:04:7a:3b:18:df:4c:00:f2:d6:0a:6b:11:4b:d7:5e b2:fe:67:3a:51:02:5e:f5:dd:5c:ac:09:99:15:a4:49 be:a5:d5:87:9e:38:25:c4:66:c2:2a:21:80:f8:3e:74 6d Exponent (bits 24): 01:00:01 Extensions: Subject Key Identifier (not critical): 7494d896c9f094bb989df041ed571b746d639ad0 Unknown extension 1.3.6.1.5.5.7.1.1 (not critical): ASCII: 0y0w..+.....0..khttp://ovirt.my.domain.com:80/ovirt-engine/services/pki-resource?resource=ca-certificate&format=X509-PEM-CA Hexdump: 3079307706082b06010505073002866b687474703a2f2f6f766972742e69696f7264616e6f762e636f6d3a38302f6f766972742d656e67696e652f73657276696365732f706b692d7265736f757263653f7265736f757263653d63612d636572746966696361746526666f726d61743d583530392d50454d2d4341 Authority Key Identifier (not critical): 48486a1668221f16cdfa62fe76cf27cd52430164 Basic Constraints (not critical): Certificate Authority (CA): FALSE Key Usage (critical): Digital signature. Key encipherment. Key Purpose (critical): TLS WWW Server. TLS WWW Client. Signature Algorithm: RSA-SHA1 Signature: 30:ff:64:ea:ae:fe:b4:ad:83:38:6e:30:d5:7b:04:44 ff:f5:de:99:ec:71:55:47:a4:d4:ee:ed:ba:fd:27:b9 55:2e:db:1d:29:36:2a:42:c8:f6:66:fb:74:ad:28:47 dd:30:eb:32:75:af:f2:ab:f9:de:05:39:d7:ca:7b:23 1a:90:9a:29:f7:69:43:77:91:ce:a8:e1:a5:7e:6d:22 eb:9b:22:08:a1:6c:e8:e9:df:b5:90:0d:7f:c9:b6:cb dc:43:16:79:59:71:dc:12:5d:60:73:36:12:65:77:ac 40:cd:95:71:e9:0e:9b:d5:30:12:10:64:6d:1b:68:88 41:66:ec:56:5d:42:c3:51:37:54:a7:55:c8:bc:27:22 63:37:b6:fd:a2:92:fd:0a:d2:31:19:df:b2:21:cf:f9 ac:bb:50:61:e2:b0:13:91:4b:14:90:b0:2f:4e:8b:01 12:f6:a6:fa:c8:3a:bd:75:f6:bf:c9:73:ca:b1:14:f1 75:16:9e:5a:46:44:7f:a5:2a:2a:0f:4d:0a:44:3b:50 ca:99:15:2e:7f:4a:73:78:02:0c:42:e0:68:f7:61:99 eb:b7:0f:52:af:16:31:66:fc:c5:e2:b8:a3:99:a5:de 02:5f:c3:12:08:eb:0b:6e:94:bd:b3:21:80:1f:59:2e Other Information: MD5 fingerprint: 4d66d244f784a11373f3377f55d6a624 SHA-1 fingerprint: 2d887ca351e02f29f84578a5e86cdc7b78e0ce2a Public Key Id: 7494d896c9f094bb989df041ed571b746d639ad0

  • Certificate[1] info:

  • X.509 Certificate Information: Version: 3 Serial Number (hex): 1000 Issuer: C=US,O=my.domain.com,CN=ovirt.my.domain.com.71975 Validity: Not Before: Mon Jun 16 22:11:05 UTC 2014 Not After: Fri Jun 14 22:11:05 UTC 2024 Subject: C=US,O=my.domain.com,CN=ovirt.my.domain.com.71975 Subject Public Key Algorithm: RSA Certificate Security Level: Low Modulus (bits 2048): 00:b5:81:2f:5a:49:e8:47:59:e9:cf:74:80:1a:c8:1f 1e:a2:f7:d5:7b:78:7d:be:ac:25:4f:37:ce:65:a8:89 2b:9e:9f:3f:5b:21:87:0b:bf:b2:13:0b:f6:0f:71:00 30:6d:27:63:32:5e:18:18:f9:5d:b4:98:9d:a8:3a:2b ea:a2:d4:de:21:c1:dc:d2:fb:39:7c:97:01:bb:05:97 c4:5b:7c:21:20:e4:15:78:67:b1:7f:bd:f0:c3:f5:16 17:37:3c:42:31:96:13:22:b4:52:bb:fb:b7:7a:27:14 9d:ea:54:2c:22:07:ab:bb:27:f6:03:e6:92:2c:3d:36 41:4a:4d:76:78:71:27:8f:05:32:77:09:52:b1:72:71 30:d9:b6:76:f6:44:42:56:82:5d:5c:45:af:0c:32:d8 8b:2a:83:18:74:2f:ad:dc:ff:40:9b:6e:ef:3a:94:66 87:45:3a:ac:1e:2a:ca:6d:70:62:3f:49:6c:41:12:e2 66:d2:fe:ed:49:42:02:af:f8:05:e0:4b:54:03:e5:91 69:4d:73:c3:78:eb:36:40:f2:6d:af:00:f6:9e:ee:52 77:66:82:30:0b:fc:30:7a:9e:47:c9:df:6a:2c:64:a4 a0:b8:27:11:7a:7e:74:7e:62:79:f8:c3:32:8e:76:93 a1 Exponent (bits 24): 01:00:01 Extensions: Subject Key Identifier (not critical): 48486a1668221f16cdfa62fe76cf27cd52430164 Authority Key Identifier (not critical): 48486a1668221f16cdfa62fe76cf27cd52430164 Basic Constraints (critical): Certificate Authority (CA): TRUE Key Usage (critical): Certificate signing. CRL signing. Signature Algorithm: RSA-SHA1 Signature: 06:0c:14:69:65:d8:86:fb:c2:98:ad:8a:9a:27:e9:2f 42:db:90:3c:7e:7c:7b:c0:b5:ca:63:77:d4:04:99:ad a4:bc:53:8d:26:5f:3d:b8:66:36:40:af:c0:66:e6:8c 6e:fc:00:56:e5:f9:d6:35:f8:f0:e6:10:ad:70:d8:38 0d:5b:0d:88:f5:67:18:e1:42:c9:a0:83:68:dd:86:6f a7:6b:39:de:26:16:dd:4f:92:cb:3f:96:2e:b2:16:d2 89:b9:6c:cd:58:d1:fc:3c:29:bb:80:b9:6b:09:cc:97 db:77:58:4c:19:e3:15:e9:ac:4a:c7:b1:5b:10:2b:8d d1:ad:36:b0:2a:36:90:8c:64:72:48:3f:68:68:2c:85 0e:04:92:a3:fb:f6:3e:ce:db:95:9a:65:d7:01:64:3a 58:b2:a4:83:bd:c1:ba:3b:2e:2a:33:77:5d:7b:f1:01 66:27:e5:3e:ee:26:bc:8c:0b:d7:98:a5:19:77:ce:ff 33:e4:a7:8f:5f:70:a9:b9:60:4f:0b:0b:d3:ef:b1:2f 8d:4a:70:fd:6a:fc:51:42:af:1b:63:86:a7:d8:55:31 a2:1e:66:4a:1f:94:63:6a:e9:77:dc:97:ed:60:81:b5 9f:53:c0:79:24:69:e3:5e:86:04:73:ed:ca:db:66:b0 Other Information: MD5 fingerprint: a2cef9d8fa046909e165fa51d5e7f929 SHA-1 fingerprint: 62acba38e50beb66ea05bebae70cc029337b5617 Public Key Id: 48486a1668221f16cdfa62fe76cf27cd52430164

  • The hostname in the certificate matches 'ovirt.my.domain.com'.

  • Peer's certificate issuer is unknown

  • Peer's certificate is NOT trusted

  • Version: TLS1.2

  • Key Exchange: DHE-RSA

  • Cipher: AES-128-CBC

  • MAC: SHA1

  • Compression: NULL

  • Session ID: 40:CD:3E:A6:4C:DD:B7:68:9F:42:34:5C:16:16:82:64:3E:FE:7A:32:CB:80:6E:26:A2:66:FE:17:FA:78:96:13

  • Channel binding 'tls-unique': f86bb47eb714e07559289b33

  • Handshake was completed

  • Simple Client Mode:

*** Fatal error: A TLS packet with unexpected length was received. *** Server has terminated the connection abnormally.

Edited by Nikos Mavrogiannopoulos