key exchange error for lighttpd webserver ob beaglebone black running arago file system

Tue, 29 Oct 2013 03:39:08 -0700 

Hi,

I am trying enable ssl in lighttpd web server.

My OS is "Arago linux" running on "Beaglebone black".
I did the proper SSL configuration for the webserver . But When I access the https page from browser (Firefox), I am getting the "This Connection is Untrusted" message. But when I accept the certificate, firefox throws the following error: 

"Peer's certificate has an invalid signature.

(Error code: sec_error_bad_signature)"
I confirmed that the certificate file is valid by using it with lighttpd running on my desktop.
I tested the same certificate using openssl command (as server) on the embedded device("Beaglebone black".). This is the error I got: 

 openssl s_server -accept 12345 -cert /etc/lighttpd/ssl/ws

server.pem   -WWWpe': openssl s_server -accept 12345 -cert /etc/lighttpd/ssl/w

Using default temp DH parameters

Using default temp ECDH parameters

ACCEPT

bad gethostbyaddr

1075078880:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt 
error:s3_pkt.c:1195:SSL alert number 51

1075078880:error:140780E5:SSL routines:SSL23_READ:ssl handshake 
failure:s23_lib.c:131:

ACCEPT
But this was working file for me before. See my forum post <http://redmine.lighttpd.net/boards/2/topics/5816>. 

And these are the errors found in the lighttpd logs:

root@am335x-evm:~# tail -f /www/logs/lighttpd.error.log
2013-06-26 00:14:12: (connections.c.305) SSL: 1 error:1409441B:SSL 
routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
2013-06-26 00:14:12: (connections.c.305) SSL: 1 error:1409441B:SSL 
routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
2013-06-26 00:14:12: (connections.c.305) SSL: 1 error:1409441B:SSL 
routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
I contacted lighttpd forum for support <http://redmine.lighttpd.net/boards/2/topics/5816>and Stefan there suggested that: 

"Your|openssl s_server|  test used a different ciphersuite 
(|TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA|), the pcap 
shows|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA|;
 the different cipher (Camellia-256-CBC instead of AES-256-CBC)
shouldn't matter in that stage of the connection, but I guess the
ECDHE-RSA key exchange could be the problem.

You could try to disable elliptic curves with|ssl.cipher-list|.
 Also I don't think this is a bug in lighttpd; it probably is somewhere
in the compiler, standard library, openssl, custom patches by whoever is
 involved or even the hardware."
I tried disabling elliptic curves by setting the following as the only cipher: 

ssl.cipher-list ="DHE-RSA-AES128-SHA"



But the issue still persists.
I tried analysing the traffic using wireshark <http://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wireshark-and-ways-to-prevent-it/> even though I am bad at it. I got the "Follow SSL Stream" context menu item enabled. But when I click on it, the windows says 0 bytes. 

I attaching the wireshark capture file.

I am also attaching my private key(throwaway key for testing).

If anyone can shed some light on this, that would be great.

Kiran

Attachment: filter.cap
Description: application/cap

Attachment: server.pm
Description: Perl program

Reply via email to