Friday, 3 June 2016

IBM Global Security Toolkit - CTGSK2041W An unsupported modulus size was found.

I'm still tinkering with different ciphers and signature algorithms in IBM HTTP Server, as per this: -


and hit this today when attempting to create a self-signed certificate using the SHA256WithECDSA Signature Algorithm: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -size 2048 -dn "cn=bpm856.uk.ibm.com,dc=uk,dc=ibm,dc=com" -label bpm856.uk.ibm.com_ss -default_cert yes -sigalg SHA256WithECDSA

CTGSK2041W An unsupported modulus size was found.

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -size 1024 -dn "cn=bpm856.uk.ibm.com,dc=uk,dc=ibm,dc=com" -label bpm856.uk.ibm.com_ss -default_cert yes -sigalg SHA256WithECDSA

CTGSK2041W An unsupported modulus size was found.

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -size 512 -dn "cn=bpm856.uk.ibm.com,dc=uk,dc=ibm,dc=com" -label bpm856.uk.ibm.com_ss -default_cert yes -sigalg SHA256WithECDSA

[ No Message ]

Yep, it worked, as validated here: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed

Certificates found
* default, - personal, ! trusted, # secret key
! ad2008root
- bpm856.uk.ibm.com
*- bpm856.uk.ibm.com_ss


/opt/IBM/HTTPServer/bin/gskcapicmd -cert -validate -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed

ad2008root : OK
bpm856.uk.ibm.com : OK
bpm856.uk.ibm.com_ss : OK

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -label bpm856.uk.ibm.com_ss

Label : bpm856.uk.ibm.com_ss
Key Size : 512
Version : X509 V3
Serial : 71b3dcfd3e00e5d0
Issuer : CN=bpm856.uk.ibm.com,DC=uk,DC=ibm,DC=com
Subject : CN=bpm856.uk.ibm.com,DC=uk,DC=ibm,DC=com
Not Before : 2 June 2016 17:14:00 GMT+01:00
Not After : 3 June 2017 17:14:00 GMT+01:00

Signature Algorithm : EC_ecdsa_with_SHA256 (1.2.840.10045.4.3.2)
...

I then get deeper into the verification using openssl : -

openssl s_client -connect bpm856.uk.ibm.com:8443 < /dev/null

Server Temp Key: ECDH, prime256v1, 256 bits
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 521 bit

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256

and SSLSleuth plugin Firefox: -



Cipher suite
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Key exchange: Elliptic curve Diffie-Hellman.
Authentication: ECDSA. 
Bulk cipher: AES GCM 128 bits.
HMAC: SHA-256. 
Perfect Forward Secrecy: Yes
SSL/TLS Version: TLSv1.2
Connection status: Secure
Certificate
Extended validation: No
Signature: SHA-256/ECDSA
Key: 521 bits ECC
Common name: bpm856.uk.ibm.com
Issued to:  
Issued by: bpm856.uk.ibm.com 
Validity: 2 June 2016 -- 3 June 2017
Fingerprint: 0F:04:8F:94:F3:0D:72:12:C4:2A: 35:06:C5:6F:BD:17:2A:E1:9F:C9

which is nice.

No comments: