ldapsearch & openssl 0.9.8e vs SHA256 signatures
Posted: 2017/03/18 13:55:09
Hello,
I found many articles about issue with validation of SHA256 signatures, usually it was advised to patch openssl to version 0.9.8o to have full support of SHA256 but I have two servers with exactly the same openssl version, one is working and one not.
sever1
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
$ cat /proc/version
Linux version 2.6.18-164.11.1.el5 (mockbuild@builder16.centos.org) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-46)) #1 SMP Wed Jan 20 07:39:04 EST 2010
server2
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
$ cat /proc/version
Linux version 2.6.18-419.el5 (mockbuild@x86-027.build.eng.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-55)) #1 SMP Wed Feb 22 22:40:57 EST 2017
I am testing LDAP server with ldapsearch command and server2 can respond to query but server1 is giving:
TLS certificate verification: Error, certificate signature failure
TLS: can't connect.
ldap_start_tls: Can't contact LDAP server (-1)
additional info: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
ldap_bind: Can't contact LDAP server (-1)
additional info: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
From the output looks like he cannot validate SHA256 signature but I wonder if server2 has the same openssl why server1 does not support it.
Although these servers are supposed to be connected to different environments, both LDAP servers have certificate signed with SHA256WithRSASignature.
Could someone help with openssl troubleshooting or explain the difference?
Thank you
I found many articles about issue with validation of SHA256 signatures, usually it was advised to patch openssl to version 0.9.8o to have full support of SHA256 but I have two servers with exactly the same openssl version, one is working and one not.
sever1
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
$ cat /proc/version
Linux version 2.6.18-164.11.1.el5 (mockbuild@builder16.centos.org) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-46)) #1 SMP Wed Jan 20 07:39:04 EST 2010
server2
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
$ cat /proc/version
Linux version 2.6.18-419.el5 (mockbuild@x86-027.build.eng.bos.redhat.com) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-55)) #1 SMP Wed Feb 22 22:40:57 EST 2017
I am testing LDAP server with ldapsearch command and server2 can respond to query but server1 is giving:
TLS certificate verification: Error, certificate signature failure
TLS: can't connect.
ldap_start_tls: Can't contact LDAP server (-1)
additional info: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
ldap_bind: Can't contact LDAP server (-1)
additional info: error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
From the output looks like he cannot validate SHA256 signature but I wonder if server2 has the same openssl why server1 does not support it.
Although these servers are supposed to be connected to different environments, both LDAP servers have certificate signed with SHA256WithRSASignature.
Could someone help with openssl troubleshooting or explain the difference?
Thank you