SSL3_GET_CERT_VERIFY:wrong signature size

SSL3_GET_CERT_VERIFY:wrong signature size

am 26.06.2002 17:42:51 von Mary Peterson

Can anyone help with this problem???

I am getting the following error in my apache error log when a user is
using their certificate's private key to digitally sign a registration
form on our website. Does anyone know how to fix this so the error
message doesn't appear? The signing algorithm is sha1RSA. Does
something need to be added to the sslciphersuite of the httpd.conf?


[error] mod_ssl: SSL handshake failed (server www.test..org, client
xx.xx.xx.xx) (OpenSSL library error follows)
[error] OpenSSL: error:14088109:SSL routines:SSL3_GET_CERT_VERIFY:wrong
signature size

I would appreciate any assistance that anyone could give. Thanks!
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSL3_GET_CERT_VERIFY:wrong signature size

am 26.06.2002 18:02:26 von Eric Rescorla

"Mary Peterson" writes:

> Can anyone help with this problem???
>
> I am getting the following error in my apache error log when a user is
> using their certificate's private key to digitally sign a registration
> form on our website. Does anyone know how to fix this so the error
> message doesn't appear? The signing algorithm is sha1RSA. Does
> something need to be added to the sslciphersuite of the httpd.conf?
>
>
> [error] mod_ssl: SSL handshake failed (server www.test..org, client
> xx.xx.xx.xx) (OpenSSL library error follows)
> [error] OpenSSL: error:14088109:SSL routines:SSL3_GET_CERT_VERIFY:wrong
> signature size
>
> I would appreciate any assistance that anyone could give. Thanks!

Talking about sha1RSA doesn't make sense in the context of SSL client
authentication (which is what this error indicates). All SSL client
authentication (with RSA) uses two hashes, MD5 and SHA-1.

Some questions:
(1) What client are you using?
(2) What exactly are you doing that leads you to believe that
sha1RSA is being used?
(3) Can you get an ssldump trace of this transaction?
Use -NAx so that we get the maximal amount of data.

-Ekr


--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org