[openssl-users] [openssl-dev] Failed TLSv1.2 handshake with error 67702888--bad signature

Kurt Roeckx kurt at roeckx.be
Mon Feb 29 21:35:05 UTC 2016 

The cipher is using SHA256, there is also a signature using SHA512
for the verification of the client certificate.  I think we've
already pointed out how to disable that.


Kurt

On Mon, Feb 29, 2016 at 08:55:34PM +0000, Nounou Dadoun wrote:
> And I should add a reminder that the negotiated cipher that's failing is actually TLS_RSA_WITH_AES_256_CBC_SHA256
> 
> Which does seem a little odd with sha256t passing and sha512t failing ... N
> 
> 
> Nou Dadoun
> Senior Firmware Developer, Security Specialist
> 
> Office: 604.629.5182 ext 2632 
> 
> -----Original Message-----
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Nounou Dadoun
> Sent: Monday, February 29, 2016 12:41 PM
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] [openssl-dev] Failed TLSv1.2 handshake with error 67702888--bad signature
> 
> Sorry, that may be the name of one of the associated libraries, in any event it's a Linaro arm toolchain version 4.9.1 running on a linux x-64 vm ... N
> 
> 
> -----Original Message-----
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Nounou Dadoun
> Sent: Monday, February 29, 2016 12:31 PM
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] [openssl-dev] Failed TLSv1.2 handshake with error 67702888--bad signature
> 
> It's arm-linux-gnueabihf-4.9.1
> 
> ... N
> 
> Nou Dadoun
> Senior Firmware Developer, Security Specialist
> 
> 
> Office: 604.629.5182 ext 2632 
> 
> -----Original Message-----
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Kurt Roeckx
> Sent: Monday, February 29, 2016 12:23 PM
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] [openssl-dev] Failed TLSv1.2 handshake with error 67702888--bad signature
> 
> Which compiler and version are you using?
> 
> Kurt
> 
> On Mon, Feb 29, 2016 at 08:12:10PM +0000, Nounou Dadoun wrote:
> > For the record, I added no-asm to the config options and got exactly 
> > the same result on the sha512t test.  Open to other suggestions ... N
> > 
> > 
> > Nou Dadoun
> > Senior Firmware Developer, Security Specialist
> > 
> > 
> > Office: 604.629.5182 ext 2632
> > 
> > -----Original Message-----
> > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On 
> > Behalf Of Nounou Dadoun
> > Sent: Monday, February 29, 2016 11:39 AM
> > To: openssl-users at openssl.org
> > Subject: Re: [openssl-users] [openssl-dev] Failed TLSv1.2 handshake 
> > with error 67702888--bad signature
> > 
> > Back in the office today - the sha1 and sha256 tests passed but the sha512 failed immediately as below.
> > 
> > # ./sha1test
> > test 1 ok
> > test 2 ok
> > test 3 ok
> > # ./sha256t
> > Testing SHA-256 ... passed.
> > Testing SHA-224 ... passed.
> > # ./sha512t
> > Testing SHA-512
> > TEST 1 of 3 failed.
> > #
> > 
> > Took a quick look at the code and it looks pretty straightforward, do you have a version you'd like me to run that dumps the result over and above doing a straight memcmp (funny that it doesn't do that anyway on failure) or just let me know what you'd like dumped and what format you'd like it in.  And maybe remove the returns so it goes through all the tests?  
> > 
> > Happy to help root cause this issue if I can.
> > 
> > Haven't tried the no-asm option yet, I might try that next.
> > 
> > Nou Dadoun
> > Senior Firmware Developer, Security Specialist
> > 
> > Office: 604.629.5182 ext 2632
> > 
> > -----Original Message-----
> > From: openssl-users [mailto:openssl-users-bounces at openssl.org] On 
> > Behalf Of Dr. Stephen Henson
> > Sent: Sunday, February 28, 2016 4:58 AM
> > To: openssl-users at openssl.org
> > Subject: Re: [openssl-users] [openssl-dev] Failed TLSv1.2 handshake 
> > with error 67702888--bad signature
> > 
> > On Sun, Feb 28, 2016, Nounou Dadoun wrote:
> > 
> > > 
> > > We're cross-compiling on a linux x86 vm, does "make test" produce something that I can run on the target?
> > 
> > "make test" wont be very useful then. The binary test/sha512t you can copy to the target and run it. I'd be interested in the output.
> > 
> > Steve.
> > --
> > Dr Stephen N. Henson. OpenSSL project core developer.
> > Commercial tech support now available see: http://www.openssl.org
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>

More information about the openssl-users mailing list