SSL3_GET_CERT_VERIFY:wrong signature size

I am getting the following error in my apache error log when a user is
using their certificate's private key to digitally sign a registration
form on our website. Does anyone know how to fix this so the error
message doesn't appear? The signing algorithm is sha1RSA.

[error] mod_ssl: SSL handshake failed (server www.test..org, client
xx.xx.xx.xx) (OpenSSL library error follows)
[error] OpenSSL: error:14088109:SSL routines:SSL3_GET_CERT_VERIFY:wrong
signature size

I would appreciate any assistance that anyone could give. Thanks!
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL3_GET_CERT_VERIFY:wrong signature size

The client is Internet Explorer 5.0. We do not get the error when we
authenticate to the site, however when a user submits a registration
form they have to digitally sign their registration form with their
private key. That is when we get the error. The signing algorithm that
our certificate management system uses is SHA1withRSA. On the details
of the certificate under Signature Algorithm it says sha1RSA.

I am not familiar with doing an ssldump trace. I am on a Windows 2000
server. Can this be done in that environment?

I hope this is enough information for you. Thanks for your help!

>>> ekr@rtfm.com 06/26/02 11:02AM >>>
"Mary Peterson" writes:

> Can anyone help with this problem???
>
> I am getting the following error in my apache error log when a user
is
> using their certificate's private key to digitally sign a
registration
> form on our website. Does anyone know how to fix this so the error
> message doesn't appear? The signing algorithm is sha1RSA. Does
> something need to be added to the sslciphersuite of the httpd.conf?
>
>
> [error] mod_ssl: SSL handshake failed (server www.test..org, client
> xx.xx.xx.xx) (OpenSSL library error follows)
> [error] OpenSSL: error:14088109:SSL
routines:SSL3_GET_CERT_VERIFY:wrong
> signature size
>
> I would appreciate any assistance that anyone could give. Thanks!

Talking about sha1RSA doesn't make sense in the context of SSL client
authentication (which is what this error indicates). All SSL client
authentication (with RSA) uses two hashes, MD5 and SHA-1.

Some questions:
(1) What client are you using?
(2) What exactly are you doing that leads you to believe that
sha1RSA is being used?
(3) Can you get an ssldump trace of this transaction?
Use -NAx so that we get the maximal amount of data.

-Ekr


--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org

User Support Mailing List modssl-users@modssl.org

Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL3_GET_CERT_VERIFY:wrong signature size

"Mary Peterson" writes:
> The client is Internet Explorer 5.0. We do not get the error when we
> authenticate to the site, however when a user submits a registration
> form they have to digitally sign their registration form with their
> private key. That is when we get the error. The signing algorithm that
> our certificate management system uses is SHA1withRSA. On the details
> of the certificate under Signature Algorithm it says sha1RSA.
Ok. This is just the algorithm that the cert was signed with, not
the one that is being used for the signature being verified.

> I am not familiar with doing an ssldump trace. I am on a Windows 2000
> server. Can this be done in that environment?
Yes, if you contact me directly I an provide a binary.

-Ekr

--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org