Friday, 3 June 2016

IBM Global Security Toolkit - CTGSK2041W An unsupported modulus size was found.

I'm still tinkering with different ciphers and signature algorithms in IBM HTTP Server, as per this: -

and hit this today when attempting to create a self-signed certificate using the SHA256WithECDSA Signature Algorithm: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -size 2048 -dn ",dc=uk,dc=ibm,dc=com" -label -default_cert yes -sigalg SHA256WithECDSA

CTGSK2041W An unsupported modulus size was found.

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -size 1024 -dn ",dc=uk,dc=ibm,dc=com" -label -default_cert yes -sigalg SHA256WithECDSA

CTGSK2041W An unsupported modulus size was found.

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -size 512 -dn ",dc=uk,dc=ibm,dc=com" -label -default_cert yes -sigalg SHA256WithECDSA

[ No Message ]

Yep, it worked, as validated here: -

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed

Certificates found
* default, - personal, ! trusted, # secret key
! ad2008root

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -validate -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed

ad2008root : OK : OK : OK

/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -label

Label :
Key Size : 512
Version : X509 V3
Serial : 71b3dcfd3e00e5d0
Issuer :,DC=uk,DC=ibm,DC=com
Subject :,DC=uk,DC=ibm,DC=com
Not Before : 2 June 2016 17:14:00 GMT+01:00
Not After : 3 June 2017 17:14:00 GMT+01:00

Signature Algorithm : EC_ecdsa_with_SHA256 (1.2.840.10045.4.3.2)

I then get deeper into the verification using openssl : -

openssl s_client -connect < /dev/null

Server Temp Key: ECDH, prime256v1, 256 bits
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 521 bit

    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256

and SSLSleuth plugin Firefox: -

Cipher suite
Key exchange: Elliptic curve Diffie-Hellman.
Authentication: ECDSA. 
Bulk cipher: AES GCM 128 bits.
HMAC: SHA-256. 
Perfect Forward Secrecy: Yes
SSL/TLS Version: TLSv1.2
Connection status: Secure
Extended validation: No
Signature: SHA-256/ECDSA
Key: 521 bits ECC
Common name:
Issued to:  
Issued by: 
Validity: 2 June 2016 -- 3 June 2017
Fingerprint: 0F:04:8F:94:F3:0D:72:12:C4:2A: 35:06:C5:6F:BD:17:2A:E1:9F:C9

which is nice.

No comments: