[openssl-users] decrypt error

Scharfenberg, Carsten c.scharfenberg at francotyp.com
Fri Jan 25 10:42:54 UTC 2019

Yes, it is a certificate error: a very stupid one.
I've used the wrong CA cert - from a different hierarchy.

I'm sorry for the hassle.
Nevertheless thanks for your support.


-----Ursprüngliche Nachricht-----
Von: openssl-users [mailto:openssl-users-bounces at openssl.org] Im Auftrag von Jakob Bohm via openssl-users
Gesendet: Freitag, 25. Januar 2019 02:17
An: openssl-users at openssl.org
Betreff: Re: [openssl-users] decrypt error

Since this seems to be a certificate issue, would it be possible
to make the server log all the certificate checking steps and
errors with the failing certificates.

One obvious test would be to try connecting to the "openssl s_server"
utility with a similar configuration and lots of debug options. Another
would be to install all the debug symbols and running haproxy under a
debugger with strategically set breakpoints to look at the execution stack
when errors are reported or validation occurs.

On 24/01/2019 16:55, Scharfenberg, Carsten wrote:
> Yes, it works if I deactivate client auth.
> Concerning the cipher: I use one specific cipher on server and on client side. This is the only cipher supported by the actual hardware client.
> Concerning the sigalg: I've had big trouble with this because due to bug in the client I need to restrict the sigalgs offered by the server. This is not possible with haproxy. But it is possible with openssl.cnf since version 1.1.1. This is why I've installed haproxy and openssl from Debian testing.
> So I'm very confident about the cipher suite and the signature algorithm.
> I've just created a new certificate hierarchy. Et voila: it works.
> So obviously this issue is certificate-related.
> Still I have to figure out what is wrong with the old certificates because I cannot replace them in the productive environment.
> My next step will be to create new hierarchy again that matches the original hierarchy as close as possible (including constraints and extensions).


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list