Signature length not correct: got 256 but was expecting 512

#################################

searchguard.ssl.transport.enabled:
true

searchguard.ssl.transport.keystore_type:
PKCS12

searchguard.ssl.transport.pemkey_filepath:
es_key.pem

searchguard.ssl.transport.pemcert_filepath:
es_cert.pem

searchguard.ssl.transport.pemtrustedcas_filepath:
es_ca_cert.pem

searchguard.ssl.transport.enforce_hostname_verification:
false

searchguard.ssl.http.enabled:
false

searchguard.authcz.admin_dn:

CN=test.example.com,OU=Test,O=TestCompany,L=TestLocation,C=IN

searchguard.nodes_dn:

CN=*.test.com,OU=Test,O=TestCompany,L=TestLocation,C=IN

##################################

Is it because the key signature algorithm used is sha256withrsa? Should I mandatorily be using sha512withrsa as the signature algorithm for using search guard??

Am 12.02.2018 um 07:31 schrieb Vinay Madyalkar <vinay.madyalkar@gmail.com>:

* Search Guard and Elasticsearch version : 5.5.1
* JVM version and operating system version : 1.8 latest update, centos

I have certificates with SAN + OID. I am running into this issue when elasticsearch is configured with searchguard.

Extract from the debug logs:

[2018-02-12T05:05:24,266][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] SSL Problem Server key
javax.net.ssl.SSLException: Server key
        at sun.security.ssl.Handshaker.checkThrown(Unknown Source) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]
        at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_131]
        at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]
        at java.lang.Thread.run(Unknown Source) [?:1.8.0_131]
Caused by: javax.net.ssl.SSLException: Server key
        at sun.security.ssl.Handshaker.throwSSLException(Unknown Source) ~[?:?]
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) ~[?:?]
        at sun.security.ssl.Handshaker.processLoop(Unknown Source) ~[?:?]
        at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:?]
        at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:?]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source) ~[?:?]
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1295) ~[?:?]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1208) ~[?:?]
        ... 18 more
Caused by: java.security.SignatureException: Signature length not correct: got 256 but was expecting 512
        at sun.security.rsa.RSASignature.engineVerify(Unknown Source) ~[?:?]
        at java.security.Signature$Delegate.engineVerify(Unknown Source) ~[?:1.8.0_131]
        at java.security.Signature.verify(Unknown Source) ~[?:1.8.0_131]
        at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(Unknown Source) ~[?:?]
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) ~[?:?]
        at sun.security.ssl.Handshaker.processLoop(Unknown Source) ~[?:?]
        at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:?]

This is my elasticsearch.yml file:
#################################
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_type: PKCS12
searchguard.ssl.transport.pemkey_filepath: es_key.pem
searchguard.ssl.transport.pemcert_filepath: es_cert.pem
searchguard.ssl.transport.pemtrustedcas_filepath: es_ca_cert.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: false
searchguard.authcz.admin_dn:
- CN=test.example.com,OU=Test,O=TestCompany,L=TestLocation,C=IN
searchguard.nodes_dn:
- CN=*.test.com,OU=Test,O=TestCompany,L=TestLocation,C=IN
##################################

Is it because the key signature algorithm used is sha256withrsa? Should I mandatorily be using sha512withrsa as the signature algorithm for using search guard??

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d5fb5224-6910-40d9-a55d-b5db815e903a%40googlegroups.com\.
For more options, visit https://groups.google.com/d/optout\.