[rabbitmq-discuss] SSL Certificate Error

james.poole at rsa.com james.poole at rsa.com
Tue May 8 16:50:37 BST 2012


Signs are pointing to this being an issue with OpenSSL.  If I try to manually 
create a cert with OpenSSL using a subject of length greater than 64, it 
fails:

problems making Certificate Request
6532:error:0D07A097:asn1 encoding routines:ASN1_mbstring_ncopy:string too 
long:.
\crypto\asn1\a_mbstr.c:154:maxsize=64

Our certificates where we were seeing the issue were created with another tool 
(not OpenSSL) which didn't have this restriction.

The certificate that fails has a subject name of 72 chars.

-James

-----Original Message-----
From: Emile Joubert [mailto:emile at rabbitmq.com]
Sent: Tuesday, May 08, 2012 10:33 AM
To: Poole, James
Cc: rabbitmq-discuss at lists.rabbitmq.com
Subject: Re: [rabbitmq-discuss] SSL Certificate Error

Hi James,

On 08/05/12 14:54, james.poole at rsa.com wrote:
> In case anyone runs into a similar issue, we found that our certificate
> had a subject length of over 64 characters.  This length limit seems
> like it is not part of the actual standard (LDAP doesn't enforce it),
> but in any case, shortening the subject fixed the issue.

Thanks for getting back to the list with your solution. Was subject
length really the only difference between a working and non-working
(ecertfile error) certificate? The chances of that seem somewhat remote.
Out of interest, were you been able to confirm your hypothesis with more
than one set of certificates that differ in subject length alone?

-Emile



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7449 bytes
Desc: not available
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20120508/cda08d22/attachment.bin>


More information about the rabbitmq-discuss mailing list