server key exchange signature behavior

Bruce Cloutier bcloutier at integpg.com
Thu Jun 25 17:09:48 UTC 2020


Sorry,

By "If OpenSSL fails to validate this particular digital signature that
would be the case." I meant to question whether or not OpenSSL is in
fact doing the validation? In the case that the signature is being
ignored then clients wouldn't complain. They wouldn't notice.

Bruce

On 6/25/20 1:04 PM, Bruce Cloutier wrote:
> Yeah. I doubt it is an OpenSSL issue directly as Apache might be feeding
> the wrong key. Just need confirmation that there isn't a default key
> configuration setting for OpenSSL that might be taking precedence for
> who knows why.
>
> I can connect successfully with the browser so I cannot rule out that my
> TLS implementation is faulty. However, it validates with every other
> site and it validates with the default install of this bitnami stack.
> Once we reconfigure for the new key and certificate, this signature in
> the server_key_exchange message fails. Nothing else seems to complain.
> My code does, well, because I know that I actually do verify that
> signature against the supplied certificate.
>
> So to everyone else it appears that we have configured the new
> certificates properly (manually achieved Let's Encrypt cert). If OpenSSL
> fails to validate this particular digital signature that would be the
> case. If in my TLS implementation I skip this check (actually now I just
> post a warning) everything negotiates and proceeds just fine.
>
> Obviously, THAT signature is there for a reason. I should expect if to
> validate. Just don't know what key it is using?
>
> I am not sure how to get to the Apache people or, might be, the Bitnami
> folks?
>
> Bruce
>
> On 6/25/20 12:07 PM, Michael Wojcik wrote:
>>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
>>> Bruce Cloutier
>>> Sent: Thursday, June 25, 2020 10:11
>>>
>>> Has anyone thought about this question?
>> From your description, it sounds like an Apache issue, not an OpenSSL one. I don't know enough about Apache configuration to comment. (I've configured a few Apache instances in my day, but never had any real issues with it, so I've never done more than search the docs for what I needed and implemented it.)
>>
>>> The site is https://jnior.com if
>>> anyone wants to hit it. For me the digital signature in the
>>> server_key_exchange does not verify.
>> I just tried openssl s_client, and it didn't complain about anything. Negotiated a TLSv1.2 session with ECDHE-RSA-AES256-GCM-SHA384 and verified the chain.
>>
>> --
>> Michael Wojcik
>> Distinguished Engineer, Micro Focus
>>
>>
>>
-- 
Sent using Thunderbird on Ubuntu 16.04LTS


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200625/ba26630b/attachment.sig>


More information about the openssl-users mailing list