Thank you JJK and everyone!!
Jan, that was it! Never thought to check the key size. Just too close to
it I guess. I could handle the 2,048 bit keys but set a fixed maximum
register size of 4,096 bits. Well, it needs 6,144 bits to do the 3,072
bit math. My bad as they say. I do have a ToDo in the
Jan,
Use Wireshark all of the time. In fact I've used it since before it was
Wireshark. But now... I can't remember what it was called before. Great
tool.
You, though, may have hit on something in pointing out the 3072 bit key.
I will check on that. It was a design decision in developing this
On 25/06/20 20:02, Bruce Cloutier wrote:
I agree that I am not being explicit regarding my terminology. I don't
mean to confuse. I just cannot get anywhere on this in a vacuum. So, I
need to reach out.
Specifically, the Signature covering the EC Diffe-Hellman Server Params
in the
I agree that I am not being explicit regarding my terminology. I don't
mean to confuse. I just cannot get anywhere on this in a vacuum. So, I
need to reach out.
Specifically, the Signature covering the EC Diffe-Hellman Server Params
in the server_key_exchange message that I eventually receive in
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Bruce Cloutier
> Sent: Thursday, June 25, 2020 12:10
>
> By "If OpenSSL fails to validate this particular digital signature that
> would be the case." I meant to question whether or not OpenSSL is in
> fact doing the
You may also check out the results of the popular ssllabs.com test here:
https://www.ssllabs.com/ssltest/analyze.html?d=jnior.com=on
Note however that in recent years they have become quite aggressive in
labeling things as "weak" when they are simply "slightly less than the
best that the
Sorry,
By "If OpenSSL fails to validate this particular digital signature that
would be the case." I meant to question whether or not OpenSSL is in
fact doing the validation? In the case that the signature is being
ignored then clients wouldn't complain. They wouldn't notice.
Bruce
On 6/25/20
Yeah. I doubt it is an OpenSSL issue directly as Apache might be feeding
the wrong key. Just need confirmation that there isn't a default key
configuration setting for OpenSSL that might be taking precedence for
who knows why.
I can connect successfully with the browser so I cannot rule out that
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of
> Bruce Cloutier
> Sent: Thursday, June 25, 2020 10:11
>
> Has anyone thought about this question?
From your description, it sounds like an Apache issue, not an OpenSSL one. I
don't know enough about Apache
Has anyone thought about this question? The site is https://jnior.com if
anyone wants to hit it. For me the digital signature in the
server_key_exchange does not verify. Is there a site diagnostic that
might report on this? I suspect that we have not fully configured the
change in certificates.
Hi,
see comments/questions inline
On 23/06/20 14:03, Bruce Cloutier wrote:
Hello,
We administer a server (Windows) with a Bitnami stack for a Wordpress
implementation and that uses Apache Httpd and OpenSSL. Separately I am
developing the TLS ECC aspect of a controller device implementation
Hello,
We administer a server (Windows) with a Bitnami stack for a Wordpress
implementation and that uses Apache Httpd and OpenSSL. Separately I am
developing the TLS ECC aspect of a controller device implementation and
note a problematic behavior with the server_key_exchange for ECDHE_RSA.
The
12 matches
Mail list logo