Hello Marek, thanks for the hint.
> One workaround of this problem is to disable EDH ciphers, for example: > > $ openssl s_client -connect bshop.esprit.com:443 -cipher 'ALL:!EDH' I tried this, but got exact the same error messages! Then I looked up the cipher specs on http://www.openssl.org/docs/apps/ciphers.html and used -cipher 'ALL:!kEDH' and then I was able to connect. Where is the difference between 'ALL:!EDH' and 'ALL:!kEDH' (beside that one works and the other not) ? Bye Jan Marek Marcola wrote: > Hello, >> it seems that there are some incompatibilities out there. For some hosts >> establishing a SSL connection fails, when using openssl, but it succeeds when >> using a browser. This in one example: >> >> F:\openssl>openssl.exe s_client -connect bshop.esprit.com:443 >> Loading 'screen' into random state - done >> CONNECTED(00000778) >> depth=1 /C=GB/O=Comodo Limited/OU=Comodo Trust Network/OU=Terms and >> Conditions of >> use: http://www.comodo.net/repository/OU=(c)2002 Comodo Limited/CN=Comodo >> Class 3 >> Security Services CA >> verify error:num=20:unable to get local issuer certificate >> verify return:0 >> 3056:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type >> is not >> 01:.\crypto\rsa\rsa_pk1.c:100: >> 3056:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check >> failed:.\c >> rypto\rsa\rsa_eay.c:580: >> 3056:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad >> signature:.\ssl\s3_cl >> nt.c:1189: >> >> >> Can anybody explain it and give me a hint how I can connect with openssl to >> that >> host? Maybe there is a compatibility switch? > After looking at packet exchange I think that in ServerKeyExchange > packet (which comes from bshop.esprit.com) there is bad signature > of DHE parameters (Ys,p,g). > In DHE server key exchange DH parameters are signed with server private > key and client should check this signature to prevent man-in-the-middle > attack. This looks like this parameters are signed with private key > that is not compatible with certificate sent to client with Certificate > packet. > One workaround of this problem is to disable EDH ciphers, for example: > > $ openssl s_client -connect bshop.esprit.com:443 -cipher 'ALL:!EDH' > > Best regards, -- Bye Jan [EMAIL PROTECTED] [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
