skleinei wrote, On 2008-01-17 09:44:
> [...] Here are the basics:
> First of all, I am using version 184.108.40.206. The following parameters
> might be of interest:security.enable_ssl2=false,
> security.enable_ssl3=true, security.enable_tls=true
> The error I am getting after a few clicks or reloads
After a few reloads?
Are you saying that it works for a while and then fails?
Are you able to connect to this site at all when it is using that
> is "Could not
> establish an encrypted connection because certificate presented by
> localhost has an invalid signature."
OK, so there you have the root of the problem, signatures that cannot be
verified and therefore are declared invalid. The problem is either
with the signature in one of the certificates in the server's cert
chain, or with the signature in the server key exchange message.
It would be necessary to examine the entire server cert chain to
determine which of those is the case.
> As I mentioned this happens with DSA certificates only. RSA seems not
> to cause a problem.
I'd guess that your answer to my questions above will be that you are
not able to communicate with the https server at all while it is
configured to use the DSA certificate. Assuming that guess is right,
then the problem is likely that no certificate in the DSA certificate
chain contains the PQG parameters for the DSA public key.
There also also other possibilities. Complete diagnosis cannot be
made without the answers to the questions above and the complete
server certificate chain.
> Please let me know, if there is additional information I can provide.
Did you get this DSA certificate from a professionally run CA?
or did you make the cert yourself?
If you made the DSA cert yourself, then the problem is likely that the
certificate (key) is incomplete or incorrectly made. Try some other
approach, one that works for you. Explaining all the intricacies
of DSA certs is beyond the charter of this newsgroup. Sorry.
OTOH, if you can reproduce this with a DSA cert from a real CA, then
I'm willing to pursue this further.