'Re: [openssl-1.1.1l] TLS1.2 Server responses with Alert'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: [openssl-1.1.1l] TLS1.2 Server responses with Alert
From:       Mark Hack <markhack () markhack ! com>
Date:       2022-01-01 7:48:25
Message-ID: abcec7b3e2f12619015128811528090e09206b51.camel () markhack ! com
[Download RAW message or body]

The server error is correct - the signature_algorithms_cert extension
does not offer rsa_pkcs1_sha256 (0x0401) which is the server
certificate signing algorithm.
If the client is written in Java, check java.security  for
"jdk.certpath.disabledAlgorithms"  and check the constraints.


On Fri, 2021-12-31 at 15:05 +0000, Michael Wojcik wrote:
> > From: openssl-users <openssl-users-bounces@openssl.org> On Behalf
> > Of Ma Zhenhua
> > Sent: Thursday, 30 December, 2021 23:59
> > On the SSL/TLS server, there's one error as follows. 
> > "SSL Error(118) - no suitable signature algorithm"
> 
> Debugging handshake failures isn't my area of expertise, but I note
> both ClientHellos include a signature_algorithms extension, and the
> contents are quite different. In particular, the successful
> ClientHello includes the Signature Hash Algorithm Hash and Signature
> Hash Algorithm Signature parameters, while the failing one doesn't.
> 
> The failing one also includes a signature_algorithms_cert extension,
> while the successful one does not. I don't know offhand how the
> algorithms specified in that extension correspond to the signature-
> algorithm OIDs in signatures, but the server's certificate has
> 1.2.840.113549.1.1.11 (sha256WithRSAEncryption) which seems like it
> ought to correspond to either rsa_pss_rsae_sha256 or
> rsa_pss_pss_sha256. (Apparently those are both RSA-PSS with SHA256,
> as the name implies, and the difference between the two of them is
> whether the public key is encoded using the rsaEncryption format in
> the certificate, or the id-RSASSA-PSS format. The failing client is
> saying it understands both, AIUI.)
> 
> So my guess would be the server is unhappy that the failing client's
> ClientHello doesn't include the parameters for the various supported
> signature schemes in its signature_algorithms extension. But that's
> just a guess, and I don't know how you'd fix it.
> 

[Attachment #3 (text/html)]

<html dir="ltr"><head></head><body style="text-align:left; \
direction:ltr;"><div><br></div><div>The server error is correct - the <span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Calibri, \
Helvetica, sans-serif; font-size: 16px;">signature_algorithms_cert extension does not \
offer </span><span style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); \
font-family: Calibri, Helvetica, sans-serif; font-size: 16px;">rsa_pkcs1_sha256 \
(0x0401) which is the server certificate signing algorithm.</span></div><div><span \
style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Calibri, \
Helvetica, sans-serif; font-size: 16px;"><br></span></div><div>If the client is \
written in Java, check java.security  for "jdk.certpath.disabledAlgorithms"  and \
check the constraints.</div><div><br></div><div><br></div><div><br></div><div>On Fri, \
2021-12-31 at 15:05 +0000, Michael Wojcik wrote:</div><blockquote type="cite" \
style="margin:0 0 0 .8ex; border-left:2px #729fcf solid;padding-left:1ex"><blockquote \
type="cite" style="margin:0 0 0 .8ex; border-left:2px #729fcf \
solid;padding-left:1ex"><div>From: openssl-users &lt;<a \
href="mailto:openssl-users-bounces@openssl.org">openssl-users-bounces@openssl.org</a>&gt; \
On Behalf Of Ma Zhenhua</div><div>Sent: Thursday, 30 December, 2021 \
23:59</div><div>On the SSL/TLS server, there's one error as \
follows.&nbsp;</div><div>"SSL Error(118) - no suitable signature \
algorithm"</div></blockquote><div><br></div><div>Debugging handshake failures isn't \
my area of expertise, but I note both ClientHellos include a signature_algorithms \
extension, and the contents are quite different. In particular, the successful \
ClientHello includes the Signature Hash Algorithm Hash and Signature Hash Algorithm \
Signature parameters, while the failing one doesn't.</div><div><br></div><div>The \
failing one also includes a signature_algorithms_cert extension, while the successful \
one does not. I don't know offhand how the algorithms specified in that extension \
correspond to the signature-algorithm OIDs in signatures, but the server's \
certificate has 1.2.840.113549.1.1.11 (sha256WithRSAEncryption) which seems like it \
ought to correspond to either rsa_pss_rsae_sha256 or rsa_pss_pss_sha256. (Apparently \
those are both RSA-PSS with SHA256, as the name implies, and the difference between \
the two of them is whether the public key is encoded using the rsaEncryption format \
in the certificate, or the id-RSASSA-PSS format. The failing client is saying it \
understands both, AIUI.)</div><div><br></div><div>So my guess would be the server is \
unhappy that the failing client's ClientHello doesn't include the parameters for the \
various supported signature schemes in its signature_algorithms extension. But that's \
just a guess, and I don't know how you'd fix \
it.</div><div><br></div></blockquote></body></html>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic