<HTML><BODY style="word-wrap: break-word; -khtml-nbsp-mode: space; -khtml-line-break: after-white-space; ">Ron and Norbert,<DIV><BR class="khtml-block-placeholder"></DIV><DIV>I found that SSL failed to establish a connection on the Mac, and I suspect the same is actually true on Windows, on close inspection. The resulting MIMEDocument has an error when evaluating the example:</DIV><DIV><BR class="khtml-block-placeholder"></DIV><BLOCKQUOTE type="cite"><SPAN style="" courier="" new""=""><FONT class="Apple-style-span" face="Courier New" size="4"><SPAN class="Apple-style-span" style="font-size: 13.3333px;">'</SPAN></FONT><A href="https://home.selfish.org/"><FONT class="Apple-style-span" face="Courier New" size="4"><SPAN class="Apple-style-span" style="font-size: 13.3333px;">https://home.selfish.org</SPAN></FONT></A><FONT class="Apple-style-span" face="Courier New" size="4"><SPAN class="Apple-style-span" style="font-size: 13.3333px;">' asUrl retrieveContents.</SPAN></FONT></SPAN></BLOCKQUOTE><DIV><BR class="khtml-block-placeholder"></DIV><DIV>I debugged into the SSLSocket and found where the ProtocolCap was getting killed. This occurred when processing the SSLCertificateMsg, with a certificate chain of 2 certificates. The new code I added to verify certificates is having a problem verifying certificate 1 with certificate 2.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Digging a little further showed that there are 3 problems, the 2nd and 3rd hidden by the 1st. </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>The 1st problem is the comparison if cert1's issuer with cert2's subject. One part of these X509Names is a Pkcs9EmailAddress, which is wrapping a ASN1IA5String. This class (ASN1IA5String) is missing an #= operation, and so they are claiming they are not equal. I fixed this.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>The 2nd and 3rd problems are ASN1 encoding/decoding problems.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>The 2nd problem is an issue with tag 12 being encoded as 19, the default for a String.</DIV><DIV>the source bytes encoded with this code</DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>| bytes |</DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>bytes := #(160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103) asByteArray.</DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>(ASN1Value fromAsnDer: bytes readStream) encodeAsnDer.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>encode as</DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>#(160 18 19 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103)</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>check the third byte to see the problem. Since the TBSCertificate are reencoded for signature checking, the ASN1 hierarchy must be able to reencode precisely. So I added several classes for different types of strings (ASN1PrintableString, ASN1UniversalString, and ASN1BMPString) and updated the tag table to use them. This solves this problem, but there are still holes in the ASN1 tag framework.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>The 3rd problem is an ASN1 decoding problem with an ASN1ExplicitContextValue class, that is embedded in a CertificateExtension. Here is the ExplicitContextValue part, which seems to be malformed:</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>| bytes ext |</DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>bytes := #(160 30 6 8 43 6 1 5 5 7 8 5 160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103) asByteArray.</DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>ext := (ASN1Value fromAsnDer: bytes readStream).</DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>ext encodeAsnDer</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>resulting in:</DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>a ByteArray (160 10 6 8 43 6 1 5 5 7 8 5)</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Notice the 2nd byte. Now this being embedded means that the part that dropped off is actualy captured in the certExtension, and when he certExtension encdes itself, here is the fragment that it encodes:</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>a ByteArray (160 10 6 8 43 6 1 5 5 7 8 5 160 18 12 16 104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103)</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>The original bytes gave a length of 30, which captured 2 values and I didn't think a ExplicitContextValue could do that. The encoded bytes have a length of 10 which is just the first element. When it decodes, instead of grabbing the bytes specified by length it just decodes the next ASN1Value, the first chunk. So here is how it breaks down:</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><{160} [30] (</DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><{6} [8] (43 6 1 5 5 7 8 5)> </DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><{160} [18] (</DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN><{12} [16] (104 111 109 101 46 115 101 108 102 105 115 104 46 111 114 103)></DIV><DIV><SPAN class="Apple-tab-span" style="white-space:pre"> </SPAN>)></DIV><DIV>)></DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Now, either an ExplicitContextValue can have 2 values like this, and we need to change some code, or this is malformed. Please advise if we can change ExplicitContextValue to handle this. </DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>If it is malformed, then because we are re-encoding the ASN1 bytes to do signatures, and since I added the Certificate Extensions, this is now breaking. Either we need to save the original bytes to do signatures with, and avoid re-encoding, or else this correctly fails. Saving the original bytes of ASN1 is a major rewrite.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Sorry I couldn't get this site working for you right away, but we will need to resolve this issue in the design, first.</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV>Robert</DIV><DIV><BR class="khtml-block-placeholder"></DIV><DIV><BR><DIV><DIV>On Mar 20, 2007, at 11:01 AM, Ron Teitelbaum wrote:</DIV><BR class="Apple-interchange-newline"><BLOCKQUOTE type="cite"> <DIV class="Section1"><P class="MsoNormal" style="text-autospace:none"><FONT size="2" face="Courier New"><SPAN style="font-size:10.0pt;font-family:" courier="" new""="">Hello everyone,<O:P></O:P></SPAN></FONT></P><P class="MsoNormal" style="text-autospace:none"><FONT size="2" face="Courier New"><SPAN style="font-size:10.0pt;font-family:" courier="" new""=""><O:P> </O:P></SPAN></FONT></P><P class="MsoNormal" style="text-autospace:none"><FONT size="2" face="Courier New"><SPAN style="font-size:10.0pt;font-family:" courier="" new""="">Can anyone help debugging SSL on Linux?<O:P></O:P></SPAN></FONT></P><P class="MsoNormal" style="text-autospace:none"><FONT size="2" face="Courier New"><SPAN style="font-size:10.0pt;font-family:" courier="" new""=""><O:P> </O:P></SPAN></FONT></P><P class="MsoNormal" style="text-autospace:none"><FONT size="2" face="Courier New"><SPAN style="font-size:10.0pt;font-family:" courier="" new""="">This is from Norbert:<O:P></O:P></SPAN></FONT></P><P class="MsoNormal" style="text-autospace:none"><FONT size="2" face="Courier New"><SPAN style="font-size:10.0pt;font-family:" courier="" new""=""><O:P> </O:P></SPAN></FONT></P><P class="MsoNormal" style="text-autospace:none"><FONT size="2" face="Courier New"><SPAN style="font-size:10.0pt;font-family:" courier="" new""="">I'm using it on linux with squeak vm 3.9-8 #5 Tue Oct 10 11:56:09 PDT 2006 gcc 4.0.3 Squeak3.9alpha of 4 July 2005 [latest update: #7021] Linux ubuntu 2.6.15-27-386 #1 PREEMPT Sat Sep 16 01:51:59 UTC 2006 i686 GNU/Linux default plugin location: /usr/local/lib/squeak/3.9-8/*.so and a stock 3.9 7067 image. I tried using a fresh copy of the image but the errors stay the same errors.<O:P></O:P></SPAN></FONT></P><P class="MsoNormal"><FONT size="2" face="Arial"><SPAN style="font-size:10.0pt; font-family:Arial"><O:P> </O:P></SPAN></FONT></P><P class="MsoNormal"><FONT size="2" face="Courier New"><SPAN style="font-size:10.0pt; font-family:" courier="" new""="">I tried using the url that Norbert gave and it worked fine on Windows.<O:P></O:P></SPAN></FONT></P><P class="MsoNormal"><FONT size="2" face="Courier New"><SPAN style="font-size:10.0pt; font-family:" courier="" new""=""><O:P> </O:P></SPAN></FONT></P><P class="MsoNormal"><FONT size="2" face="Courier New"><SPAN style="font-size:10.0pt; font-family:" courier="" new""="">'<A href="https://home.selfish.org/">https://home.selfish.org</A>' asUrl retrieveContents.<O:P></O:P></SPAN></FONT></P><P class="MsoNormal"><FONT size="2" face="Courier New"><SPAN style="font-size:10.0pt; font-family:" courier="" new""=""><O:P> </O:P></SPAN></FONT></P><P class="MsoNormal"><FONT size="2" face="Courier New"><SPAN style="font-size:10.0pt; font-family:" courier="" new""="">Could someone try this on Linux and see if they can help provide info as to what is going wrong. I suspect that the client hello is causing the server to disconnect. Maybe an Endian issue?<O:P></O:P></SPAN></FONT></P><P class="MsoNormal"><FONT size="2" face="Courier New"><SPAN style="font-size:10.0pt; font-family:" courier="" new""=""><O:P> </O:P></SPAN></FONT></P><P class="MsoNormal"><FONT size="2" face="Courier New"><SPAN style="font-size:10.0pt; font-family:" courier="" new""="">Thanks,<O:P></O:P></SPAN></FONT></P><P class="MsoNormal"><FONT size="2" face="Courier New"><SPAN style="font-size:10.0pt; font-family:" courier="" new""=""><BR> Ron Teitelbaum<BR> Squeak Cryptography Team Leader</SPAN></FONT><FONT size="2" face="Arial"><SPAN style="font-size:10.0pt;font-family:Arial"><O:P></O:P></SPAN></FONT></P> </DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">_______________________________________________</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">Cryptography mailing list</DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A href="mailto:Cryptography@lists.squeakfoundation.org">Cryptography@lists.squeakfoundation.org</A></DIV><DIV style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><A href="http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography">http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/cryptography</A></DIV> </BLOCKQUOTE></DIV><BR></DIV></BODY></HTML>