Signature length not correct: got 256 but was expecting 512
Vinay Madyalkar
[2018-02-12T05:05:24,266][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] SSL Problem Server key
javax.net.ssl.SSLException: Server key
at sun.security.ssl.Handshaker.checkThrown(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_131]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]
at java.lang.Thread.run(Unknown Source) [?:1.8.0_131]
Caused by: javax.net.ssl.SSLException: Server key
at sun.security.ssl.Handshaker.throwSSLException(Unknown Source) ~[?:?]
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Unknown Source) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:?]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source) ~[?:?]
at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1295) ~[?:?]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1208) ~[?:?]
... 18 more
Caused by: java.security.SignatureException: Signature length not correct: got 256 but was expecting 512
at sun.security.rsa.RSASignature.engineVerify(Unknown Source) ~[?:?]
at java.security.Signature$Delegate.engineVerify(Unknown Source) ~[?:1.8.0_131]
at java.security.Signature.verify(Unknown Source) ~[?:1.8.0_131]
at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(Unknown Source) ~[?:?]
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) ~[?:?]
at sun.security.ssl.Handshaker.processLoop(Unknown Source) ~[?:?]
at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:?]
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_type: PKCS12
searchguard.ssl.transport.pemkey_filepath: es_key.pem
searchguard.ssl.transport.pemcert_filepath: es_cert.pem
searchguard.ssl.transport.pemtrustedcas_filepath: es_ca_cert.pem
searchguard.ssl.transport.enforce_hostname_verification: false
searchguard.ssl.http.enabled: false
searchguard.authcz.admin_dn:
- CN=test.example.com,OU=Test,O=TestCompany,L=TestLocation,C=IN
searchguard.nodes_dn:
- CN=*.test.com,OU=Test,O=TestCompany,L=TestLocation,C=IN
##################################
Is it because the key signature algorithm used is sha256withrsa? Should I mandatorily be using sha512withrsa as the signature algorithm for using search guard??
SG
Can you pls post the output of the following commands?
openssl rsa -in es_key.pem -check -noout (or is it a ECDH key?)
openssl x509 -in es_cert.pem -text -noout
> You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to search-guard...@googlegroups.com.
> To post to this group, send email to search...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d5fb5224-6910-40d9-a55d-b5db815e903a%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.