Hello, > it seems that there are some incompatibilities out there. For some hosts > establishing a SSL connection fails, when using openssl, but it succeeds when > using a browser. This in one example: > > F:\openssl>openssl.exe s_client -connect bshop.esprit.com:443 > Loading 'screen' into random state - done > CONNECTED(00000778) > depth=1 /C=GB/O=Comodo Limited/OU=Comodo Trust Network/OU=Terms and > Conditions of > use: http://www.comodo.net/repository/OU=(c)2002 Comodo Limited/CN=Comodo > Class 3 > Security Services CA > verify error:num=20:unable to get local issuer certificate > verify return:0 > 3056:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is > not > 01:.\crypto\rsa\rsa_pk1.c:100: > 3056:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check > failed:.\c > rypto\rsa\rsa_eay.c:580: > 3056:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad > signature:.\ssl\s3_cl > nt.c:1189: > > I have seen the "RSA_padding_check_PKCS1_type_1" when verifying a CRL, too. > > Can anybody explain it and give me a hint how I can connect with openssl to > that > host? Maybe there is a compatibility switch? After looking at packet exchange I think that in ServerKeyExchange packet (which comes from bshop.esprit.com) there is bad signature of DHE parameters (Ys,p,g). In DHE server key exchange DH parameters are signed with server private key and client should check this signature to prevent man-in-the-middle attack. This looks like this parameters are signed with private key that is not compatible with certificate sent to client with Certificate packet. One workaround of this problem is to disable EDH ciphers, for example:
$ openssl s_client -connect bshop.esprit.com:443 -cipher 'ALL:!EDH' Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
