Hello, We administer a server (Windows) with a Bitnami stack for a Wordpress implementation and that uses Apache Httpd and OpenSSL. Separately I am developing the TLS ECC aspect of a controller device implementation and note a problematic behavior with the server_key_exchange for ECDHE_RSA. The developed device ECDHE_RSA suite works properly and as expected with all of the other servers thus far tested. There is likely a configuration issue with this Apache installation and I am fishing for a hint. The issue is that the RSA signature as part of the server_key_exchange does not decrypt with the supplied certificate public RSA key. It does indicate an rsa_pkcs1_sha256 signature. With a fresh Bitnami install that still uses the default key and certificate files, the protocol provides a valid digital signature. When we change the server's certificate (and confirm this with the browser) the server_key_exchange signature no longer validates. It is as if the server continues to use the default key for the signature. I have not tried to confirm that specific point. My immediate question for someone close to the code is where does Apache/OpenSSL look for the key file for this signature at this point in the protocol? I am hoping that there is just some additional configuration location that needs to be given our new key file and/or certificate. Can anyone confirm? We noted this concern on a production server. We then installed the stack on a different machine to confirm the fresh install operation. In adding different key and certificate files we confirm that the signature then fails. If I ignore the bad signature the secure communications succeed. I have been searching the net for this issue for weeks. That has been fruitless. So I am turning to this list. Bruce -- Sent using Thunderbird on Ubuntu 16.04LTS
Attachment:
signature.asc
Description: OpenPGP digital signature
