Hi,
We were using old MBed TLS version 2.19.1 and existing trusted CA certificates were working fine in that release. Recently we upgraded to 3.6.0 and see that now certificate parsing is returning -ox262e value from function mbedtls_x509_get_sig_alg cause of which handshake is not even initiated.
Can you please let us know what can cause such an issue and remedy the same?
Regards, Prakash
Hi,
FYI - I just did some more analysis and found that error is generated from below code:
if ((ret = mbedtls_oid_get_sig_alg(sig_oid, md_alg, pk_alg)) != 0) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG, ret); }
Can you please explain if this is due to some configuration issue (in between 2.19.1 and 3.6.0 versions) or in certificate?
Please provide some more info on the issue and how to resolve the same?
Thanks in advance.
Regards, Prakash
On Thu, Sep 26, 2024 at 10:58 AM Satya Prakash Prasad satyaprakash.developer.unix@gmail.com wrote:
Hi,
We were using old MBed TLS version 2.19.1 and existing trusted CA certificates were working fine in that release. Recently we upgraded to 3.6.0 and see that now certificate parsing is returning -ox262e value from function mbedtls_x509_get_sig_alg cause of which handshake is not even initiated.
Can you please let us know what can cause such an issue and remedy the same?
Regards, Prakash
Hi All,
Here's what I did forward based on what I understand - since my understanding can be wrong please let me know:
The certificate in concern is certificate chain and I found 5 certificate within:
-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
As per the issue I feel that error is due to Unknown or unsupported Signature Algorithm.
So I extracted all 5 certificate and applied below command:
openssl x509 -in 1.pem -text -noout --> Signature Algorithm: sha1WithRSAEncryption openssl x509 -in 2.pem -text -noout =-> Signature Algorithm: sha1WithRSAEncryption openssl x509 -in 3.pem -text -noout ----> Signature Algorithm: sha256WithRSAEncryption openssl x509 -in 4.pem -text -noout ---> Signature Algorithm: ecdsa-with-SHA256 openssl x509 -in 5.pem -text -noout --> Signature Algorithm: ecdsa-with-SHA384
I am not sure but my guess is that Signature Algorithm ecdsa-with-SHA384 is probably failing - I am not sure what config value I should have in 3.6.0 to enable it.
But the same certificate passes in 2.19.1 version?
Please provide your inputs.
Regards, Prakash.
On Thu, Sep 26, 2024 at 12:57 PM Satya Prakash Prasad satyaprakash.developer.unix@gmail.com wrote:
Hi,
FYI - I just did some more analysis and found that error is generated from below code:
if ((ret = mbedtls_oid_get_sig_alg(sig_oid, md_alg, pk_alg)) != 0) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG, ret); }
Can you please explain if this is due to some configuration issue (in between 2.19.1 and 3.6.0 versions) or in certificate?
Please provide some more info on the issue and how to resolve the same?
Thanks in advance.
Regards, Prakash
On Thu, Sep 26, 2024 at 10:58 AM Satya Prakash Prasad satyaprakash.developer.unix@gmail.com wrote:
Hi,
We were using old MBed TLS version 2.19.1 and existing trusted CA certificates were working fine in that release. Recently we upgraded to 3.6.0 and see that now certificate parsing is returning -ox262e value from function mbedtls_x509_get_sig_alg cause of which handshake is not even initiated.
Can you please let us know what can cause such an issue and remedy the same?
Regards, Prakash
mbed-tls@lists.trustedfirmware.org