> From: owner-openssl-us...@openssl.org On Behalf Of Mohan Radhakrishnan > Sent: Friday, 04 December, 2009 05:54
> > We see this message "no available certificates or key > corresponding to the cipher suites" even before establishing a > handshake. It is a mutual handshake. So keystores and truststores are > there on both sides. Algorithms are RSA. > Do you mean before starting the handshake (before connection), or on connection before/without the handshake succeeding? If the former, it's definitely not due to the other party. It must be between the local config and the local keystore. (Truststore only matters for authenticating the other party.) If it happens on connection, it *could* still be a local problem that just doesn't get detected and reported until the connection attempt tries to use it. Which party and what software is reporting this, and exactly what does it say, and what if anything does the other party say about the connection attempt (e.g. does it get an SSL alert)? > Could this be caused due to a RSA bit size mismatch ? Would this error > message be caused if one pair of keystore and truststore use 2048 and > the other pair of keystore and truststore use 1024 ? Please share your > experience. > No. RSA as used in SSL/TLS allows any (reasonable) size, and 1k and 2k are definitely reasonable. Each party normally chooses its own key. A truststore must match the cert(s) used by the OTHER party(ies). For example, if server is authenticated by a selfsigned cert with RSA 3k key, client must have *that* cert in its truststore, and thus *that* cert must use RSA 3k. It may have other certs in its truststore with different keytype/size, for the same or other parties. (Of course there's no point in having certs for, and if selfsigned using, PK algorithms you won't negotiate.) If the server is authenticated by a CA-signed cert, the client truststore must contain the *CA* cert, with the CA keytype/size, which may differ from the server's (or client's) and often does. (The CA's key *should* be cryptographically stronger than the entities it certifies, but SSL does not require or enforce this.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
