Help with SSL 8152 SEC_ERROR_INVALID_KEY Intermittent Error (first post please be kind!)

Wed Dec 9 13:42:07 UTC 2020

On 09/12/2020 11:35, Craig Henry wrote:
> Hi,
> 
> This is my first post to this list so please be kind!
> 
> Environment - Linux Centos
> SSL - 1.0.2k19-el7
> 
> Connection - CURL (via PHP) with public / private key auth + http basic auth
> 
> We're having an issue where we are seeing intermittent behavior
> connecting to a 3rd party of the key being rejected with a 8152 error -
> "The key does not support the requested operation". Other times it works
> OK.

That error does not come from OpenSSL. It appears to be an NSS error. So
I'd suggest asking on an NSS or CURL forum.

Matt

> 
> We have another user who is using this 3rd party and same connection
> type but not reported this issue.
> 
> Has anyone got any clue as to what might be causing this type of
> intermittent connection issue ?
> 
> The CURL logs are below but altered for privacy reasons.
> 
> Thanks
> 
> 
> 
> -Craig
> 
> 
> 
> 
> 
> 
> 
> *Key blocked response*
> 
> * About to connect() to XXXXXXXX<http://www.ipg-online.com> port 443 (#96)
> *   Trying XXXXXX
> * Connected to XXXXXX (XXXXXXXXX) port 443 (#96)
> *   CAfile: /XXXXX_tlstrust.pem
> <http://tpapi.topicplus.co.uk/public_html/docs/../includes/servers/firstData/WS1110275290_tlstrust.pem>
>   CApath: none
> * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> * Server certificate:
> * subject: CN=XXXXXXX
> <http://www.ipg-online.com>,O=XXXXXXXX,L=Atlanta,ST=Georgia,C=US
> * start date: Jun 17 00:00:00 2020 GMT
> * expire date: Jun 18 12:00:00 2022 GMT
> * common name: XXXXXXXX <http://www.ipg-online.com>
> * issuer: CN=DigiCert Global CA G2,O=DigiCert Inc,C=US
> * Server auth using Basic with user 'XXXXXXXX'
>> POST /XXXXXX/services HTTP/1.1
> Authorization: Basic XXXXXXXXX
> Host: XXXXXXXX <http://www.ipg-online.com>
> Accept: */*
> Content-Type:text/xml
> Content-Length: 1019
> 
> * upload completely sent off: 1019 out of 1019 bytes
> * NSS: client certificate from file
> * subject: CN=XXXXXXXX,OU=Buntingford,O=XXXXXXXXXX,C=DE
> * start date: Dec 03 10:01:35 2020 GMT
> * expire date: Dec 01 10:01:35 2030 GMT
> * common name: xxxxxxxx
> * issuer: CN=XXXXXX <http://prod.ipg-online.com>,O=XXXXXXXX GmbH,L=Bad
> Vilbel,ST=Hessen,C=DE
> * SSL read: errno -8152 (SEC_ERROR_INVALID_KEY)
> * The key does not support the requested operation.
> * Closing connection 96
> 
> 
> *Successful response*
> 
> * About to connect() to XXXXXXXXXX port 443 (#81)
> *   Trying xxxxxxx...
> * Connected to XXXXXXXX <http://www.ipg-online.com> (XXXXXX) port 443 (#81)
> *   CAfile:
> /XXXXXXXXX<http://tpapi.topicplus.co.uk/public_html/docs/../includes/servers/firstData/WS1110275290_tlstrust.pem>
>   CApath: none
> * SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
> * Server certificate:
> * subject: CN=www.xxxxxxxxxxxx
> <http://www.ipg-online.com>,O=XXXXXXn,L=Atlanta,ST=Georgia,C=US
> * start date: Jun 17 00:00:00 2020 GMT
> * expire date: Jun 18 12:00:00 2022 GMT
> * common name: XXXXXXXXXXXXXXX
> * issuer: CN=DigiCert Global CA G2,O=DigiCert Inc,C=US
> * Server auth using Basic with user 'XXXXXXXXX'
>> POST /XXXXX/services HTTP/1.1
> Authorization: Basic xxxxxxxx
> Host: XXXXXXXXX <http://www.ipg-online.com>
> Accept: */*
> Content-Type:text/xml
> Content-Length: 1019
> 
> * upload completely sent off: 1019 out of 1019 bytes
> * NSS: client certificate from file
> * subject: CN=XXXXXXXX,OU=Buntingford,O=XXXXXXXXXX Ltd,C=DE
> * start date: Dec 03 10:01:35 2020 GMT
> * expire date: Dec 01 10:01:35 2030 GMT
> * common name:XXXXXXXXX
> * issuer: CN=XXXXXXXXX <http://prod.ipg-online.com>,O=XXXXXXXXXXXX,L=Bad
> Vilbel,ST=Hessen,C=DE
> < HTTP/1.1 500
> < Date: Tue, 08 Dec 2020 13:42:26 GMT
> < Server: Apache
> < Strict-Transport-Security: max-age=63072000; includeSubdomains
> < X-XSS-Protection: 1; mode=block
> < X-Content-Type-Options: nosniff
> < Cache-Control: no-cache, no-store, must-revalidate
> < Pragma: no-cache
> < X-Frame-Options: SAMEORIGIN
> < Content-Security-Policy: default-src 'self' *.googleapis.com
> <http://googleapis.com> *.klarna.com <http://klarna.com>
> *.masterpass.com <http://masterpass.com> *.mastercard.com
> <http://mastercard.com> *.npci.org.in <http://npci.org.in> 'unsafe-eval'
> 'unsafe-inline'; frame-ancestors 'self'
> < X-Application-Context: application:spring-boot,node-global,node-api:8843
> < Accept: text/xml, text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
> < SOAPAction: ""
> < Expires: 0
> < Content-Type: text/xml;charset=utf-8
> < Content-Length: 1481
> < Set-Cookie: JSESSIONID=8778DF260AA5C9E0AAB3E1E4C572453D.ipg_api_k8s;
> Path=/XXXXX; Secure; HttpOnly;HttpOnly;Secure;SameSite=Lax
> < Connection: close
> <
> * Closing connection 81
> 
> 
> 
> 
> 
> *Development Team*
> 
> *tassolutions <http://www.tas-solutions.co.uk/>*
> the attic | south suite | fullbridge mill | maldon | essex | cm9 4le | UK
> 
> *tel:*   +44 (0)1621 857785 <tel:+44%201621%20857785>  -
> *www.tas-solutions.co.uk <http://www.tas-solutions.co.uk/>*
> 
> *Our business | support hours are Monday - Friday 9.00am to 5.30pm*
> 
> Offices are closed on all UK Bank Holidays.
> 
> Support outside these hours can be arranged on request.
> 
> <https://twitter.com/tassolutions>      <https://www.linkedin.com/company/tas-solutions>   
>  <https://www.aito.com/aito-information/aito-business-partners>
> 
> This E-mail and any attachments contain confidential and proprietary
> information of TAS Solutions Ltd and are intended only for the use of
> the person/s to whom it is addressed. If you have received this E-mail
> in error please immediately notify support by telephone on +44 (0)1621
> 857785 <tel:+44%201621%20857785>. Although this e-mail and any
> attachments are believed to be free of any virus, or other defect which
> might affect any computer or system into which they are received and
> opened, internet communications cannot be guaranteed to be secure or
> error-free and therefore it is the responsibility of the recipient to
> ensure that they are virus free. The sender therefore does not accept
> liability for any loss or damage from receipt or use thereof which
> arises as a result of internet transmission. Any views/opinions
> expressed within this e-mail and any attachments are that of the
> individual and not necessarily that of TAS Solutions Ltd.
> 