server key exchange signature behavior

Bruce Cloutier bcloutier at integpg.com
Thu Jun 25 15:10:58 UTC 2020 

Has anyone thought about this question? The site is https://jnior.com if
anyone wants to hit it. For me the digital signature in the
server_key_exchange does not verify. Is there a site diagnostic that
might report on this? I suspect that we have not fully configured the
change in certificates. Has us stumped. Could really use a hint.

On 6/23/20 8:03 AM, Bruce Cloutier wrote:
> Hello,
>
> We administer a server (Windows) with a Bitnami stack for a Wordpress
> implementation and that uses Apache Httpd and OpenSSL. Separately I am
> developing the TLS ECC aspect of a controller device implementation and
> note a problematic behavior with the server_key_exchange for ECDHE_RSA.
> The developed device ECDHE_RSA suite works properly and as expected with
> all of the other servers thus far tested. There is likely a
> configuration issue with this Apache installation and I am fishing for a
> hint.
>
> The issue is that the RSA signature as part of the server_key_exchange
> does not decrypt with the supplied certificate public RSA key. It does
> indicate an rsa_pkcs1_sha256 signature.
>
> With a fresh Bitnami install that still uses the default key and
> certificate files, the protocol provides a valid digital signature. When
> we change the server's certificate (and confirm this with the browser)
> the server_key_exchange signature no longer validates. It is as if the
> server continues to use the default key for the signature. I have not
> tried to confirm that specific point.
>
> My immediate question for someone close to the code is where does
> Apache/OpenSSL look for the key file for this signature at this point in
> the protocol?
>
> I am hoping that there is just some additional configuration location
> that needs to be given our new key file and/or certificate. Can anyone
> confirm?
>
> We noted this concern on a production server. We then installed the
> stack on a different machine to confirm the fresh install operation. In
> adding different key and certificate files we confirm that the signature
> then fails. If I ignore the bad signature the secure communications
> succeed.
>
> I have been searching the net for this issue for weeks. That has been
> fruitless. So I am turning to this list.
>
> Bruce
>
>
>
-- 
Sent using Thunderbird on Ubuntu 16.04LTS


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200625/922b629c/attachment.sig>

More information about the openssl-users mailing list