8

I'm trying to verify a 2-way SSL connection using the openssl s_client command

openssl s_client -connect localhost:8883 -CAfile ca.pem -cert client.crt -key client.key

The openssl s_client fails with the following error:

openssl s_client -connect localhost:8883 -CAfile ca.pem -cert client.crt -key c.key Enter pass phrase for client.key: unable to load client certificate private key file 140289846519624:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150: 140289846519624:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1306: 140289846519624:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=RSA 140289846519624:error:04093004:rsa routines:OLD_RSA_PRIV_DECODE:RSA lib:rsa_ameth.c:115: 140289846519624:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150: 140289846519624:error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header:tasn_dec.c:1306: 140289846519624:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=PKCS8_PRIV_KEY_INFO 140289846519624:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:132:

The client private key was generated using the following command

openssl genrsa -aes256 -out client.key 2048

And if I try to parse it I get the following

openssl asn1parse < client.key

I get this

Error in encoding 140030324189000:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:asn1_lib.c:150:

This does work when I generate the key without passing the -aes256 option.

How can I get this to work with keys that have been encrypted using aes or des?

Improve this question
8
  • 1
    Since you encrypt your private key you must also provide the necessary information to decrypt it, see description of -pass option.
    – Steffen Ullrich
    CommentedNov 10, 2014 at 1:01
  • Do you mean the -pass (private key file pass phrase source) option ? This is for providing the passphrase of the key I suppose ? I'm still getting the same error.
    – ddewaele
    CommentedNov 10, 2014 at 10:38
  • "..providing the passphrase of the key I suppose" - kind of, but not directly. Please read the documentation how it should be used.
    – Steffen Ullrich
    CommentedNov 10, 2014 at 11:36
  • I did and used the env:var option. It picks up the passphrase ok but then throws the error. Without the option I'nm prompted for a password. Password is correct. If I provide an invalid one I get another error (failing to decrypt, indicating the passphrase is wrong).
    – ddewaele
    CommentedNov 10, 2014 at 11:41
  • 1
    openssl rsa -in client.key | openssl asn1parse will work, because it removes the encryption before calling asn1parse.
    – Steffen Ullrich
    CommentedNov 10, 2014 at 13:29

0

Reset to default

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.