Re: SSL3_GET_CERT_VERIFY:wrong signature size

Wed, 26 Jun 2002 09:46:31 -0700 

The client is Internet Explorer 5.0.  We do not get the error when we
authenticate to the site, however when a user submits a registration
form they have to digitally sign their registration form with their
private key.  That is when we get the error.  The signing algorithm that
our certificate management system uses is SHA1withRSA.  On the details
of the certificate under Signature Algorithm it says sha1RSA.

I am not familiar with doing an ssldump trace.  I am on a Windows 2000
server.  Can this be done in that environment?

I hope this is enough information for you.  Thanks for your help!

>>> [EMAIL PROTECTED] 06/26/02 11:02AM >>>
"Mary Peterson" <[EMAIL PROTECTED]> writes:

> Can anyone help with this problem???
> 
> I am getting the following error in my apache error log when a user
is
> using their certificate's private key to digitally sign a
registration
> form on our website.  Does anyone know how to fix this so the error
> message doesn't appear?  The signing algorithm is sha1RSA.  Does
> something need to be added to the sslciphersuite of the httpd.conf?
> 
> 
> [error] mod_ssl: SSL handshake failed (server www.test..org, client
> xx.xx.xx.xx) (OpenSSL library error follows)
> [error] OpenSSL: error:14088109:SSL
routines:SSL3_GET_CERT_VERIFY:wrong
> signature size
> 
> I would appreciate any assistance that anyone could give.  Thanks!

Talking about sha1RSA doesn't make sense in the context of SSL client
authentication (which is what this error indicates). All SSL client
authentication (with RSA) uses two hashes, MD5 and SHA-1.

Some questions:
(1) What client are you using?
(2) What exactly are you doing that leads you to believe that
sha1RSA is being used?
(3) Can you get an ssldump trace of this transaction?
Use -NAx so that we get the maximal amount of data.

-Ekr


-- 
[Eric Rescorla                                   [EMAIL PROTECTED]] 
                http://www.rtfm.com/ 
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org

User Support Mailing List                      [EMAIL PROTECTED]

Automated List Manager                            [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to