On 2012/05/08 04:53 PDT, Bernhard Thalmayr wrote: > > Hi experts, an OpenAM community member is using OpenAM policy agent to > connect to an ssl-secured server. > > The policy agent uses NSPR 4.8.2, NSS 3.12.5.0 optimized build for Linux > (RHEL) 64bit. > > If the agent tries to open a connection to a specific, ssl-enabled > OpenAM server, error '-8152' is raised. > > What might be the root-cause for this error? > > Could I get some additional output from an optimized build or do I > really need a 'DEBUG' build to leverage NSS environment variables > (https://developer.mozilla.org/en/NSS_reference/NSS_environment_variables)? > > Interestingly the same agent can connect to other ssl-enabled servers. > > Unfortunately the community member will / can not provide a network > trace showing the handshake messages. > > TIA, > Bernhard
Bernhard, I think the most likely explanations are these: 1) Server certificate has a public key that is too small, too large, has a too small public exponent (if RSA), an unknown key type, or a key for an Elliptic Curve that is not supported by NSS. 2) Some other certificate in the server's cert chain has one of the above problems. 3) The server is attempting to use "Server Key Exchange" for forward secrecy, and the key it is offering for that purpose has one of the problems mentioned above. 4) The server is selecting a cipher suite that is incompatible with the type of key in its public key certificate. Ii suggest you use tcpdump or ssltap to get a trace of your own. Regards, /Nelson -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto