Re: NSS 3.12.5.0: Error '-8152' (SEC_ERROR_INVALID_KEY) when connecting to ssl-enabled servers
On 2012/05/21 05:21 PDT, Bernhard Thalmayr wrote: Hi Wan-Teh, Nelson, could it be that this error is also raised by the client if the client can not 'participate' in ssl client-auth? Unfortunately I only got a text-output of 'ssldump', not sure if this is would be helpful. [snip] The client is telling the server that the server's certificate is bad. Interestingly enough the community member told be that this error does not happen with NSS: 3.12.8 NSPR: 4.8.6 NSS is less forgiving of certain key size errors than it was before. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS 3.12.5.0: Error '-8152' (SEC_ERROR_INVALID_KEY) when connecting to ssl-enabled servers
On Mon, May 21, 2012 at 5:21 AM, Bernhard Thalmayr
bernhard.thalm...@painstakingminds.com wrote:
Hi Wan-Teh, Nelson, could it be that this error is also raised by the client
if the client can not 'participate' in ssl client-auth?
Yes, this is possible.
Unfortunately I only got a text-output of 'ssldump', not sure if this is
would be helpful.
The end of the handshake shows ...
1a0: f3 6e fc 04 ab 79 e1 13 | .n...y..
0: 0d 00 2b 36 | ..+6
type = 13 (certificate_request)
length = 11062 (0x002b36)
CertificateRequest {
certificate types[3] = { 01 02 40 }
certificate_authorities[11056] = {
List Truncated
}
}
0: 0e 00 00 00 |
type = 14 (server_hello_done)
length = 0 (0x00)
}
}
]
This shows a client certificate was requested.
-- [
(7 bytes of 2)
SSLRecord { [Mon May 14 13:25:27 2012]
0: 15 03 00 00 02 | .
type = 21 (alert)
version = { 3,0 }
length = 2 (0x2)
fatal: bad_certificate
0: 02 2a | .*
}
The - arrow is from client to server. As Nelson said, most likely
the public key in the server's certificate is bad.
Wan-Teh
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
