> [[email protected] - Fri Mar 23 11:59:30 2012]: > > Hi, > after updating to openssl 1.0.1 (debian package), authentication > against a test server > with a 512 bit rsa key gives : > > openssl s_client -connect 127.0.0.1:12346 -key /home/dev/agent1- > key.pem -cert /home/dev/agent1-cert.pem > ... > 139860308645544:error:04075070:rsa routines:RSA_sign:digest too > big for rsa key:rsa_sign.c:127: > 139860308645544:error:14099006:SSL > routines:SSL3_SEND_CLIENT_VERIFY:EVP lib:s3_clnt.c:2974: > ... > > Downgrading to openssl 1.0.0h fixes the issue. > Please find attached the key/certificate. > (they have been made for testing purpose). > > I guess this is unexpected behavior, and i did not find any recent > similar report. >
The reason for this is that OpenSSL 1.0.1 support TLS v1.2 and the digest algorithm it uses by default is SHA512. A 512 bit RSA key is not large enough for SHA512 so you get that error. If you disable TLS v1.2 with -no_tls1_2 or use a larger key this wont happen. Use of 512 bit RSA keys is discouraged anyway for security reasons. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
