ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED in Google Chrome

后端 未结 6 995
走了就别回头了
走了就别回头了 2021-02-13 19:00

I\'ve got a web site that uses SSL Client certificate authorization. All client certificates are generated using OpenSSL and are self-signed. Everything worked with all web-bro

6条回答
  •  野性不改
    2021-02-13 19:39

    We are experiencing the same problem. As Sean has reported, it seems that Chrome on Windows XP negotiates TLSv1.2 even though the operating system does not support SHA-2 (say, SHA-256 or SHA-384) hash function.

    We found that Chrome fails when it receives "client certificate request" following SERVER HELLO. SERVER HELLO itself negotiates RC4-SHA1 (in our environment) which should succeeds. The problematic packet seems the "client certificate request" that includes SHA-2 (as well as SHA1) functions for hashes.

    Invoking Chrome with "--enable-logging --log-level=0" outputs the following message: ERROR:nss_ssl_util.cc(193)] ERR_SSL_CLIENT_AUTH_SIGNATURE_FAILED: NSS error -12222, OS error -2146893816

    This is an Operating system error corresponding "NTE_BAD_ALGID" for CryptSignHash function: http://msdn.microsoft.com/en-us/library/windows/desktop/aa380280(v=vs.85).aspx

    Disabling TLSv1.2 on the server should fix the problem. But I think Chrome should prefer SHA1 on Windows XP.

提交回复
热议问题