Signature length not correct: got 256 but was expecting 512

  • Search Guard and Elasticsearch version : 5.5.1

  • JVM version and operating system version : 1.8 latest update, centos

I have certificates with SAN + OID. I am running into this issue when elasticsearch is configured with searchguard.

Extract from the debug logs:

[2018-02-12T05:05:24,266][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] SSL Problem Server key

javax.net.ssl.SSLException: Server key

    at sun.security.ssl.Handshaker.checkThrown(Unknown Source) ~[?:?]

    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) ~[?:?]

    at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]

    at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]

    at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_131]

    at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]

    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]

    at java.lang.Thread.run(Unknown Source) [?:1.8.0_131]

Caused by: javax.net.ssl.SSLException: Server key

    at sun.security.ssl.Handshaker.throwSSLException(Unknown Source) ~[?:?]

    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) ~[?:?]

    at sun.security.ssl.Handshaker.processLoop(Unknown Source) ~[?:?]

    at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:?]

    at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:?]

    at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]

    at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source) ~[?:?]

    at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1295) ~[?:?]

    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1208) ~[?:?]

    ... 18 more

Caused by: java.security.SignatureException: Signature length not correct: got 256 but was expecting 512

    at sun.security.rsa.RSASignature.engineVerify(Unknown Source) ~[?:?]

    at java.security.Signature$Delegate.engineVerify(Unknown Source) ~[?:1.8.0_131]

    at java.security.Signature.verify(Unknown Source) ~[?:1.8.0_131]

    at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(Unknown Source) ~[?:?]

    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) ~[?:?]

    at sun.security.ssl.Handshaker.processLoop(Unknown Source) ~[?:?]

    at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:?]

This is my elasticsearch.yml file:

···

#################################

searchguard.ssl.transport.enabled:
true

searchguard.ssl.transport.keystore_type:
PKCS12

searchguard.ssl.transport.pemkey_filepath:
es_key.pem

searchguard.ssl.transport.pemcert_filepath:
es_cert.pem

searchguard.ssl.transport.pemtrustedcas_filepath:
es_ca_cert.pem

searchguard.ssl.transport.enforce_hostname_verification:
false

searchguard.ssl.http.enabled:
false

searchguard.authcz.admin_dn:

CN=test.example.com,OU=Test,O=TestCompany,L=TestLocation,C=IN

searchguard.nodes_dn:

CN=*.test.com,OU=Test,O=TestCompany,L=TestLocation,C=IN

##################################

Is it because the key signature algorithm used is sha256withrsa? Should I mandatorily be using sha512withrsa as the signature algorithm for using search guard??

first: it makes no sense to specify PKCS12 as keystore type and then use pem certificates.
Can you pls post the output of the following commands?

openssl rsa -in es_key.pem -check -noout (or is it a ECDH key?)
openssl x509 -in es_cert.pem -text -noout

···

Am 12.02.2018 um 07:31 schrieb Vinay Madyalkar <vinay.madyalkar@gmail.com>:

* Search Guard and Elasticsearch version : 5.5.1
* JVM version and operating system version : 1.8 latest update, centos

I have certificates with SAN + OID. I am running into this issue when elasticsearch is configured with searchguard.

Extract from the debug logs:

[2018-02-12T05:05:24,266][ERROR][c.f.s.s.t.SearchGuardSSLNettyTransport] SSL Problem Server key
javax.net.ssl.SSLException: Server key
        at sun.security.ssl.Handshaker.checkThrown(Unknown Source) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source) ~[?:?]
        at javax.net.ssl.SSLEngine.unwrap(Unknown Source) ~[?:1.8.0_131]
        at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:254) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1156) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1078) ~[netty-handler-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265) ~[netty-codec-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:644) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:544) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:498) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:458) [netty-transport-4.1.11.Final.jar:4.1.11.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858) [netty-common-4.1.11.Final.jar:4.1.11.Final]
        at java.lang.Thread.run(Unknown Source) [?:1.8.0_131]
Caused by: javax.net.ssl.SSLException: Server key
        at sun.security.ssl.Handshaker.throwSSLException(Unknown Source) ~[?:?]
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) ~[?:?]
        at sun.security.ssl.Handshaker.processLoop(Unknown Source) ~[?:?]
        at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:?]
        at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:?]
        at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_131]
        at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source) ~[?:?]
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1295) ~[?:?]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1208) ~[?:?]
        ... 18 more
Caused by: java.security.SignatureException: Signature length not correct: got 256 but was expecting 512
        at sun.security.rsa.RSASignature.engineVerify(Unknown Source) ~[?:?]
        at java.security.Signature$Delegate.engineVerify(Unknown Source) ~[?:1.8.0_131]
        at java.security.Signature.verify(Unknown Source) ~[?:1.8.0_131]
        at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(Unknown Source) ~[?:?]
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) ~[?:?]
        at sun.security.ssl.Handshaker.processLoop(Unknown Source) ~[?:?]
        at sun.security.ssl.Handshaker$1.run(Unknown Source) ~[?:?]

This is my elasticsearch.yml file:
#################################
searchguard.ssl.transport.enabled: true
searchguard.ssl.transport.keystore_type: PKCS12
searchguard.ssl.transport.pemkey_filepath: es_key.pem
searchguard.ssl.transport.pemcert_filepath: es_cert.pem
searchguard.ssl.transport.pemtrustedcas_filepath: es_ca_cert.pem

searchguard.ssl.transport.enforce_hostname_verification: false

searchguard.ssl.http.enabled: false
searchguard.authcz.admin_dn:
- CN=test.example.com,OU=Test,O=TestCompany,L=TestLocation,C=IN
searchguard.nodes_dn:
- CN=*.test.com,OU=Test,O=TestCompany,L=TestLocation,C=IN
##################################

Is it because the key signature algorithm used is sha256withrsa? Should I mandatorily be using sha512withrsa as the signature algorithm for using search guard??

--
You received this message because you are subscribed to the Google Groups "Search Guard Community Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to search-guard+unsubscribe@googlegroups.com.
To post to this group, send email to search-guard@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/search-guard/d5fb5224-6910-40d9-a55d-b5db815e903a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.