That's very weird. alert 51 = decrypt_error received by the servers - in the lighttpd log
or s_server output - is certainly consistent with Firefox thinking a signature is bad. And the signature on the cert in your capture looks right (although it doesn't have either subject.CN or SAN identifying the server, which makes it invalid for HTTPS) but the signature in the ServerKeyExchange appears to be wrong if I didn't mess up the by-hand check (which I very well may have). What happens if you try s_client on another machine(s) (e.g. your desktop) to either s_server or lighttpd on the Beaglebone/Arago system? Especially if you force selection of a suite observed so far to fail? Note ECDHE-RSA-AES256 and DHE-RSA-Camellia256 in that order are among Firefox's most preferred ciphers out of the box. Given your RSA cert, s_server should always give the former and lighttpd should give the former if it is using a curve Firefox supports and the latter otherwise. The lighttpd doc google found me says it defaults to prime256v1 which is okay; did you set ssl.ec-curve to something else? From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Kiran G Sent: Tuesday, October 29, 2013 06:32 To: openssl-users@openssl.org Subject: key exchange error for lighttpd webserver ob beaglebone black running arago file system Hi, I am trying enable ssl in lighttpd web server. My OS is "Arago linux" running on "Beaglebone black". I did the proper SSL configuration for the webserver . But When I access the https page from browser (Firefox), I am getting the "This Connection is Untrusted" message. But when I accept the certificate, firefox throws the following error: "Peer's certificate has an invalid signature. (Error code: sec_error_bad_signature)" I confirmed that the certificate file is valid by using it with lighttpd running on my desktop. I tested the same certificate using openssl command (as server) on the embedded device("Beaglebone black".). This is the error I got: openssl s_server -accept 12345 -cert /etc/lighttpd/ssl/ws server.pem -WWWpe': openssl s_server -accept 12345 -cert /etc/lighttpd/ssl/w Using default temp DH parameters Using default temp ECDH parameters ACCEPT bad gethostbyaddr 1075078880:error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error:s3_pkt.c:1195:SSL alert number 51 1075078880:error:140780E5:SSL routines:SSL23_READ:ssl handshake failure:s23_lib.c:131: ACCEPT But this was working file for me before. See my forum post <http://redmine.lighttpd.net/boards/2/topics/5816> . And these are the errors found in the lighttpd logs: root@am335x-evm:~# tail -f /www/logs/lighttpd.error.log 2013-06-26 00:14:12: (connections.c.305) SSL: 1 error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error 2013-06-26 00:14:12: (connections.c.305) SSL: 1 error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error 2013-06-26 00:14:12: (connections.c.305) SSL: 1 error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error I contacted lighttpd forum for support <http://redmine.lighttpd.net/boards/2/topics/5816> and Stefan there suggested that: "Your openssl s_server test used a different ciphersuite (TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA), the pcap shows TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA; the different cipher (Camellia-256-CBC instead of AES-256-CBC) shouldn't matter in that stage of the connection, but I guess the ECDHE-RSA key exchange could be the problem. You could try to disable elliptic curves with ssl.cipher-list. Also I don't think this is a bug in lighttpd; it probably is somewhere in the compiler, standard library, openssl, custom patches by whoever is involved or even the hardware." I tried disabling elliptic curves by setting the following as the only cipher: ssl.cipher-list ="DHE-RSA-AES128-SHA" But the issue still persists. I tried analysing the traffic using wireshark <http://wirewatcher.wordpress.com/2010/07/20/decrypting-ssl-traffic-with-wir eshark-and-ways-to-prevent-it/> even though I am bad at it. I got the "Follow SSL Stream" context menu item enabled. But when I click on it, the windows says 0 bytes. I attaching the wireshark capture file. I am also attaching my private key(throwaway key for testing). If anyone can shed some light on this, that would be great. Kiran
