Cannot use SHA512 certificate with Searchguard

Search Guard
1

Hello I’m trying to configure my Elasticsearch 6.4.0 instances with TLS / SSL security with SearchGuard.

I’ve generated my CSR and my key with SHA512. Then the CA signed the certificate.

But, when starting ES I get the following error:

Caused by: javax.net.ssl.SSLException: Server key

at sun.security.ssl.Handshaker.throwSSLException(Handshaker.java:1434) ~[?:?]

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:304) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

… 19 more

Caused by: java.security.SignatureException: Signature length not correct: got 512 but was expecting 256

at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189) ~[?:?]

at java.security.Signature$Delegate.engineVerify(Signature.java:1222) ~[?:1.8.0_191]

at java.security.Signature.verify(Signature.java:655) ~[?:1.8.0_191]

at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.(HandshakeMessage.java:1120) ~[?:?]

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:300) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

… 19 more

Anyone know to use 512bits certificates?

Thank you

2

how did you generate the CSR?

···

On Wednesday, 24 October 2018 17:30:21 UTC+2, Marcos Tenrero Morán wrote:

Hello I’m trying to configure my Elasticsearch 6.4.0 instances with TLS / SSL security with SearchGuard.

I’ve generated my CSR and my key with SHA512. Then the CA signed the certificate.

But, when starting ES I get the following error:

Caused by: javax.net.ssl.SSLException: Server key

at sun.security.ssl.Handshaker.throwSSLException(Handshaker.java:1434) ~[?:?]

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:304) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

… 19 more

Caused by: java.security.SignatureException: Signature length not correct: got 512 but was expecting 256

at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189) ~[?:?]

at java.security.Signature$Delegate.engineVerify(Signature.java:1222) ~[?:1.8.0_191]

at java.security.Signature.verify(Signature.java:655) ~[?:1.8.0_191]

at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.(HandshakeMessage.java:1120) ~[?:?]

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:300) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

… 19 more

Anyone know to use 512bits certificates?

Thank you

3

With the following openssl command:

openssl req
-newkey rsa:2048 -nodes -keyout domain.key \

-out domain.csr

···

El jueves, 25 de octubre de 2018, 13:48:46 (UTC+2), Search Guard escribió:

how did you generate the CSR?

On Wednesday, 24 October 2018 17:30:21 UTC+2, Marcos Tenrero Morán wrote:

Hello I’m trying to configure my Elasticsearch 6.4.0 instances with TLS / SSL security with SearchGuard.

I’ve generated my CSR and my key with SHA512. Then the CA signed the certificate.

But, when starting ES I get the following error:

Caused by: javax.net.ssl.SSLException: Server key

at sun.security.ssl.Handshaker.throwSSLException(Handshaker.java:1434) ~[?:?]

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:304) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

… 19 more

Caused by: java.security.SignatureException: Signature length not correct: got 512 but was expecting 256

at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189) ~[?:?]

at java.security.Signature$Delegate.engineVerify(Signature.java:1222) ~[?:1.8.0_191]

at java.security.Signature.verify(Signature.java:655) ~[?:1.8.0_191]

at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.(HandshakeMessage.java:1120) ~[?:?]

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:300) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

… 19 more

Anyone know to use 512bits certificates?

Thank you

4

this works well for me

openssl req -x509 -newkey rsa:2048 -nodes -keyout domain.key -out domain.pem -days 365 -sha512

So i can confirm that SG with ES 6.4.0 is working with SHA512 digest

···

On Thursday, 25 October 2018 13:50:42 UTC+2, Marcos Tenrero Morán wrote:

With the following openssl command:

openssl req
-newkey rsa:2048 -nodes -keyout domain.key \

-out domain.csr

El jueves, 25 de octubre de 2018, 13:48:46 (UTC+2), Search Guard escribió:

how did you generate the CSR?

On Wednesday, 24 October 2018 17:30:21 UTC+2, Marcos Tenrero Morán wrote:

Hello I’m trying to configure my Elasticsearch 6.4.0 instances with TLS / SSL security with SearchGuard.

I’ve generated my CSR and my key with SHA512. Then the CA signed the certificate.

But, when starting ES I get the following error:

Caused by: javax.net.ssl.SSLException: Server key

at sun.security.ssl.Handshaker.throwSSLException(Handshaker.java:1434) ~[?:?]

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:304) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

… 19 more

Caused by: java.security.SignatureException: Signature length not correct: got 512 but was expecting 256

at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189) ~[?:?]

at java.security.Signature$Delegate.engineVerify(Signature.java:1222) ~[?:1.8.0_191]

at java.security.Signature.verify(Signature.java:655) ~[?:1.8.0_191]

at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.(HandshakeMessage.java:1120) ~[?:?]

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:300) ~[?:?]

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:970) ~[?:?]

at sun.security.ssl.Handshaker$1.run(Handshaker.java:967) ~[?:?]

at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_191]

at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459) ~[?:?]

at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1364) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1272) ~[netty-handler-4.1.16.Final.jar:4.1.16.Final]

… 19 more

Anyone know to use 512bits certificates?

Thank you