curl: RSA_padding_check_PKCS1_type_1:invalid padding

Question

I am generating an X509 certificate through code (using OpenSSL APIs) for my server application. I have just added support for TLSv1.3 by adding TLSv1.3 ciphers in the supported list in my code.

There is no change in certificate generation and assigning RSA pub + private key to the certificate.

I have upgraded curl & OpenSSL libraries on client to enable TLSv1.3 connection. Upgraded Curl version: 7.63.0 & OpenSSL version: 1.1.1

I am seeing below error:

* TCP_NODELAY set
* Connected to <domain> (<ip-address>) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: myCA.pem
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [6 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [1781 bytes data]
* TLSv1.3 (OUT), TLS alert, decrypt error (563):
} [2 bytes data]
* error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (35) error:0407008A:rsa routines:RSA_padding_check_PKCS1_type_1:invalid padding

Same error comes even with TLSv1.2 (using same upgraded client).

What am I missing here? Please help.

Answer 1

I know this is an old one, but I just had the same issue because I copied a PEM file from Windows with CRLF included instead of LF.

Use cat -v cert.pem to check for it.