[openssl-users] decrypt error

Jakob Bohm jb-openssl at wisemo.com
Fri Jan 25 01:16:52 UTC 2019


Since this seems to be a certificate issue, would it be possible
to make the server log all the certificate checking steps and
errors with the failing certificates.

One obvious test would be to try connecting to the "openssl s_server"
utility with a similar configuration and lots of debug options. Another
would be to install all the debug symbols and running haproxy under a
debugger with strategically set breakpoints to look at the execution stack
when errors are reported or validation occurs.

On 24/01/2019 16:55, Scharfenberg, Carsten wrote:
> Yes, it works if I deactivate client auth.
> Concerning the cipher: I use one specific cipher on server and on client side. This is the only cipher supported by the actual hardware client.
> Concerning the sigalg: I've had big trouble with this because due to bug in the client I need to restrict the sigalgs offered by the server. This is not possible with haproxy. But it is possible with openssl.cnf since version 1.1.1. This is why I've installed haproxy and openssl from Debian testing.
> So I'm very confident about the cipher suite and the signature algorithm.
>
> I've just created a new certificate hierarchy. Et voila: it works.
> So obviously this issue is certificate-related.
> Still I have to figure out what is wrong with the old certificates because I cannot replace them in the productive environment.
> My next step will be to create new hierarchy again that matches the original hierarchy as close as possible (including constraints and extensions).
>

Enjoy

Jakob
-- 
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded



More information about the openssl-users mailing list