IBM HttpServer the configured certificate chain contains a signature that is not compatible with peers TLS Signature Algorithm requirements

Question

I have a kubernetes ingress service, forwarding traffic to an SSL port on an IBM HTTP Server, but the connection fails with SSL0280E: SSL Handshake Failed, the configured certificate chain contains a signature that is not compatible with peers TLS Signature Algorithm requirements.

If i bypass the ingress, by proxy-forwarding the port of the HTTP Server, everything works, so I guess its related to the ingress configuration.

But I do not understand from the error message, what the problem could be.

The full handshake log is

 [ibm_ssl:debug] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL handshake initiated [10.0.77.139:44716 -> 10.0.34.215:8000] fd 17 userdata 7f2007ffed00 
 [ibm_ssl:debug] [pid 202:tid 139775549896448] mod_ibm_ssl.c(1184): About to handshake: SSLV2 not enabled, SSLV3 not enabled, TLSv10 not enabled, TLSv11 not enabled, TLSv12 ciphers='TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA', FIPS is disabled
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read begin bytes [5] timeout [5000000]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read end bytes [5] err [0] to [0] eof [0]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read begin bytes [183] timeout [5000000]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL read end bytes [183] err [0] to [0] eof [0]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL write begin bytes [7] timeout [5000000]
[ibm_ssl:trace3] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL write end bytes [7] err [0] to [0]
[ibm_ssl:error] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] [202] SSL0280E: SSL Handshake Failed, the configured certificate chain contains a signature that is not compatible with peers TLS Signature Algorithm requirements.[10.0.77.139:44716 -> 10.0.34.215:8000] [0 ms]
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] [7f1ff0000910] Handshake transcript:
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  <client_hello>
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  client_version 
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    gsksslDissector_8Bits
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    03
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    gsksslDissector_8Bits
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    03
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  TLSV12
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  random 
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    gsksslDissector_32Bits
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    69aaf182
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    gsksslDissector_Opaque
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    Length: 28
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    01 C4 38 FA 9D 07 48 B8 78 7F 5E 99 4F D3 F9 22     ..8...H.x.^.O.."
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    D1 FA F7 8F 0A 44 4D 05 AF 68 07 67                 .....DM..h.g
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  session_id 
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  Length: 00
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  cipher_suites 
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  Length: 56
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  C0 2C C0 30 00 9F CC A9 CC A8 CC AA C0 2B C0 2F     .,.0.........+./
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  00 9E C0 24 C0 28 00 6B C0 23 C0 27 00 67 C0 0A     ...$.(.k.#.'.g..
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  C0 14 00 39 C0 09 C0 13 00 33 00 9D 00 9C 00 3D     ...9.....3.....=
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  00 3C 00 35 00 2F 00 FF                             .<.5./..
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  tls_ecdhe_ecdsa_with_aes_256_gcm_sha384,tls_ecdhe_rsa_with_aes_256_gcm_sha384,tls_dhe_rsa_with_aes_256_gcm_sha384,tls_ecdhe_ecdsa_with_chacha20_poly1305_sha256,tls_ecdhe_rsa_with_chacha20_poly1305_sha256,tls_dhe_rsa_with_chacha20_poly1305_sha256,tls_ecdhe_ecdsa_with_aes_128_gcm_sha256,tls_ecdhe_rsa_with_aes_128_gcm_sha256,tls_dhe_rsa_with_aes_128_gcm_sha256,tls_ecdhe_ecdsa_with_aes_256_cbc_sha384,tls_ecdhe_rsa_with_aes_256_cbc_sha384,unknown,tls_ecdhe_ecdsa_with_aes_128_cbc_sha256,tls_ecdhe_rsa_with_aes_128_cbc_sha256,tls_dhe_rsa_with_aes_128_cbc_sha256,tls_ecdhe_ecdsa_with_aes_256_cbc_sha,tls_ecdhe_rsa_with_aes_256_cbc_sha,unknown,tls_ecdhe_ecdsa_with_aes_128_cbc_sha,tls_ecdhe_rsa_with_aes_128_cbc_sha,unknown,tls_rsa_with_aes_256_gcm_sha384,tls_rsa_with_aes_128_gcm_sha256,tls_rsa_with_aes_256_cbc_sha256,tls_rsa_with_aes_128_cbc_sha256,tls_rsa_with_aes_256_cbc_sha,tls_rsa_with_aes_128_cbc_sha,tls_ri_scsv
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  compression_methods 
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  Length: 01
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  00                                                  .
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  Extensions
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  Length: 82
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  00 0B 00 04 03 00 01 02 00 0A 00 0C 00 0A 00 1D     ................
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  00 17 00 1E 00 19 00 18 00 23 00 00 00 16 00 00     .........#......
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  00 17 00 00 00 0D 00 2A 00 28 04 03 05 03 06 03     .......*.(......
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  08 07 08 08 08 09 08 0A 08 0B 08 04 08 05 08 06     ................
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  04 01 05 01 06 01 03 03 03 01 03 02 04 02 05 02     ................
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]  06 02                                               ..
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]   Extension Count: 6
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]   ec_point_formats
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    uncompressed,ansiX962_compressed_prime,ansiX962_compressed_char2
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]   elliptic_curves
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    unknown,secp256r1,unknown,secp521r1,secp384r1
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]   session_ticket
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]   encrypt_then_mac
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]   extended_master_secret
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]   signature_algorithms
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716]    ecdsa:sha256,ecdsa:sha384,ecdsa:sha512,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,unknown:unknown,rsa:sha256,rsa:sha384,rsa:sha512,ecdsa:sha224,rsa:sha224,dsa:sha224,dsa:sha256,dsa:sha384,dsa:sha512
[ibm_ssl:warn] [pid 202:tid 139775549896448] [client 10.0.77.139:44716] end handshake transcript

The ingress is using a proper signed certificate,using a wildcard certificate with multiple Subject Alternate Names, and has been added to the IBM HTTP Server trust store.

The HTTP server uses a certificate that is self-signed, with the kubernetes service FQDN as Subject Alternate Name.

Is the problem a) With the certificate used directly by the ingress controller? b) With some intermediary certififcate used by the ingress controller? c) A problem with key exchange protocols? d) A problem with the http servers own self-signed certificate?

Thanks in advance

Answer 1

Turns out, the problem was my self signed certificate, that was using a sha1 signing algorithm. After properly changing it to a sha256 signing algorithm, the problem went away.

i.e.

openssl req -new -key mykey.pem -out /tmp/mycsr.csr -config myconfig.properties -sha256 
openssl x509 -req -days 3650 -sha256 -in /tmp/mycsr.csr -signkey mykey.pem -out /tmp/mycert.cert -extensions req_ext -extfile myconfig.properties   

with myconfig.properties being

[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=Country
ST=State
L=City
O=O
OU=OU
emailAddress=myemail@domain
CN = default.svc.cluster.local

[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

[ alt_names ]
DNS.0 = *.default.svc.cluster.local