Hi Nelson, thanks for the Info. We are indeed using a self-signed certificate. I need to get our clients some decisions made, whether we pursue this issue or not.
Thanks anyway for your help! -Stefan Nelson Bolyard wrote: > skleinei wrote, On 2008-01-17 09:44: > > [...] Here are the basics: > > > > First of all, I am using version 2.0.0.11. The following parameters > > might be of interest:security.enable_ssl2=false, > > security.enable_ssl3=true, security.enable_tls=true > > The error I am getting after a few clicks or reloads > > After a few reloads? > Are you saying that it works for a while and then fails? > Are you able to connect to this site at all when it is using that > particular certificate? > > > is "Could not > > establish an encrypted connection because certificate presented by > > localhost has an invalid signature." > > OK, so there you have the root of the problem, signatures that cannot be > verified and therefore are declared invalid. The problem is either > with the signature in one of the certificates in the server's cert > chain, or with the signature in the server key exchange message. > It would be necessary to examine the entire server cert chain to > determine which of those is the case. > > > As I mentioned this happens with DSA certificates only. RSA seems not > > to cause a problem. > > I'd guess that your answer to my questions above will be that you are > not able to communicate with the https server at all while it is > configured to use the DSA certificate. Assuming that guess is right, > then the problem is likely that no certificate in the DSA certificate > chain contains the PQG parameters for the DSA public key. > > There also also other possibilities. Complete diagnosis cannot be > made without the answers to the questions above and the complete > server certificate chain. > > > Please let me know, if there is additional information I can provide. > > Did you get this DSA certificate from a professionally run CA? > or did you make the cert yourself? > > If you made the DSA cert yourself, then the problem is likely that the > certificate (key) is incomplete or incorrectly made. Try some other > approach, one that works for you. Explaining all the intricacies > of DSA certs is beyond the charter of this newsgroup. Sorry. > > OTOH, if you can reproduce this with a DSA cert from a real CA, then > I'm willing to pursue this further. > > /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
