Has anyone thought about this question? The site is https://jnior.com if anyone wants to hit it. For me the digital signature in the server_key_exchange does not verify. Is there a site diagnostic that might report on this? I suspect that we have not fully configured the change in certificates. Has us stumped. Could really use a hint. On 6/23/20 8:03 AM, Bruce Cloutier wrote: > Hello, > > We administer a server (Windows) with a Bitnami stack for a Wordpress > implementation and that uses Apache Httpd and OpenSSL. Separately I am > developing the TLS ECC aspect of a controller device implementation and > note a problematic behavior with the server_key_exchange for ECDHE_RSA. > The developed device ECDHE_RSA suite works properly and as expected with > all of the other servers thus far tested. There is likely a > configuration issue with this Apache installation and I am fishing for a > hint. > > The issue is that the RSA signature as part of the server_key_exchange > does not decrypt with the supplied certificate public RSA key. It does > indicate an rsa_pkcs1_sha256 signature. > > With a fresh Bitnami install that still uses the default key and > certificate files, the protocol provides a valid digital signature. When > we change the server's certificate (and confirm this with the browser) > the server_key_exchange signature no longer validates. It is as if the > server continues to use the default key for the signature. I have not > tried to confirm that specific point. > > My immediate question for someone close to the code is where does > Apache/OpenSSL look for the key file for this signature at this point in > the protocol? > > I am hoping that there is just some additional configuration location > that needs to be given our new key file and/or certificate. Can anyone > confirm? > > We noted this concern on a production server. We then installed the > stack on a different machine to confirm the fresh install operation. In > adding different key and certificate files we confirm that the signature > then fails. If I ignore the bad signature the secure communications > succeed. > > I have been searching the net for this issue for weeks. That has been > fruitless. So I am turning to this list. > > Bruce > > > -- Sent using Thunderbird on Ubuntu 16.04LTS
Attachment:
signature.asc
Description: OpenPGP digital signature
