server key exchange signature behavior

Bruce Cloutier bcloutier at integpg.com
Thu Jun 25 17:04:10 UTC 2020 

Yeah. I doubt it is an OpenSSL issue directly as Apache might be feeding
the wrong key. Just need confirmation that there isn't a default key
configuration setting for OpenSSL that might be taking precedence for
who knows why.

I can connect successfully with the browser so I cannot rule out that my
TLS implementation is faulty. However, it validates with every other
site and it validates with the default install of this bitnami stack.
Once we reconfigure for the new key and certificate, this signature in
the server_key_exchange message fails. Nothing else seems to complain.
My code does, well, because I know that I actually do verify that
signature against the supplied certificate.

So to everyone else it appears that we have configured the new
certificates properly (manually achieved Let's Encrypt cert). If OpenSSL
fails to validate this particular digital signature that would be the
case. If in my TLS implementation I skip this check (actually now I just
post a warning) everything negotiates and proceeds just fine.

Obviously, THAT signature is there for a reason. I should expect if to
validate. Just don't know what key it is using?

I am not sure how to get to the Apache people or, might be, the Bitnami
folks?

Bruce

On 6/25/20 12:07 PM, Michael Wojcik wrote:
>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
>> Bruce Cloutier
>> Sent: Thursday, June 25, 2020 10:11
>>
>> Has anyone thought about this question?
> From your description, it sounds like an Apache issue, not an OpenSSL one. I don't know enough about Apache configuration to comment. (I've configured a few Apache instances in my day, but never had any real issues with it, so I've never done more than search the docs for what I needed and implemented it.)
>
>> The site is https://jnior.com if
>> anyone wants to hit it. For me the digital signature in the
>> server_key_exchange does not verify.
> I just tried openssl s_client, and it didn't complain about anything. Negotiated a TLSv1.2 session with ECDHE-RSA-AES256-GCM-SHA384 and verified the chain.
>
> --
> Michael Wojcik
> Distinguished Engineer, Micro Focus
>
>
>
-- 
Sent using Thunderbird on Ubuntu 16.04LTS


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200625/f82eaf68/attachment.sig>

More information about the openssl-users mailing list