skleinei wrote, On 2008-01-17 09:44: > [...] Here are the basics: > > First of all, I am using version 2.0.0.11. The following parameters > might be of interest:security.enable_ssl2=false, > security.enable_ssl3=true, security.enable_tls=true > The error I am getting after a few clicks or reloads
After a few reloads? Are you saying that it works for a while and then fails? Are you able to connect to this site at all when it is using that particular certificate? > is "Could not > establish an encrypted connection because certificate presented by > localhost has an invalid signature." OK, so there you have the root of the problem, signatures that cannot be verified and therefore are declared invalid. The problem is either with the signature in one of the certificates in the server's cert chain, or with the signature in the server key exchange message. It would be necessary to examine the entire server cert chain to determine which of those is the case. > As I mentioned this happens with DSA certificates only. RSA seems not > to cause a problem. I'd guess that your answer to my questions above will be that you are not able to communicate with the https server at all while it is configured to use the DSA certificate. Assuming that guess is right, then the problem is likely that no certificate in the DSA certificate chain contains the PQG parameters for the DSA public key. There also also other possibilities. Complete diagnosis cannot be made without the answers to the questions above and the complete server certificate chain. > Please let me know, if there is additional information I can provide. Did you get this DSA certificate from a professionally run CA? or did you make the cert yourself? If you made the DSA cert yourself, then the problem is likely that the certificate (key) is incomplete or incorrectly made. Try some other approach, one that works for you. Explaining all the intricacies of DSA certs is beyond the charter of this newsgroup. Sorry. OTOH, if you can reproduce this with a DSA cert from a real CA, then I'm willing to pursue this further. /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
