Inhaltsverzeichnis
3.4 Troubleshooting
Troubleshooting for common issues with the PQ cryptography infrastructure.
Quick Diagnostics
Run these commands to check system status:
# 1. OpenSSL version openssl version # Expected: OpenSSL 3.6.0 or higher # 2. PQ algorithms available? openssl list -signature-algorithms | grep -i "ml-dsa" openssl list -kem-algorithms | grep -i "ml-kem" # 3. Provider active? openssl list -providers # 4. .NET Runtime dotnet --list-runtimes | grep "NETCore.App 8"
OpenSSL Errors
libcrypto not found
Symptom:
Unable to load DLL 'libcrypto-3-x64.dll'
Diagnosis:
# Windows - search for DLL where libcrypto-3-x64.dll # Linux - search for shared library ldconfig -p | grep libcrypto # macOS - search for dylib ls /usr/local/lib/libcrypto*
Solution Windows (PowerShell as Administrator):
# Check PATH $env:PATH -split ";" | Select-String "OpenSSL" # Extend PATH (if not present) [Environment]::SetEnvironmentVariable("Path", $env:Path + ";C:\Program Files\OpenSSL\bin", "Machine") # Or set OPENSSL_PATH [Environment]::SetEnvironmentVariable("OPENSSL_PATH", "C:\Program Files\OpenSSL\bin", "Machine")
Solution Linux:
# Update ldconfig echo "/usr/local/openssl/lib64" | sudo tee /etc/ld.so.conf.d/openssl.conf sudo ldconfig # Verify ldconfig -p | grep libcrypto
OpenSSL version too old
Symptom:
OpenSSL version 3.6.0+ required for ML-DSA
Diagnosis:
# Full version and build info openssl version -a # Find installed versions (Linux) find /usr -name "openssl" -type f 2>/dev/null # Find installed versions (Windows) where /r C:\ openssl.exe 2>nul
Solution: Upgrade to OpenSSL 3.6.0+ → Installation
PQ algorithms not available
Symptom:
openssl list -signature-algorithms | grep -i "ml-dsa" # No output
Diagnosis:
# Check provider status openssl list -providers # All available signature algorithms openssl list -signature-algorithms # All available KEM algorithms openssl list -kem-algorithms
Possible causes:
- OpenSSL < 3.6.0 (ML-DSA/ML-KEM only from 3.6)
- Provider not loaded
- Custom build without PQ support
Certificate Errors
Display certificate details
# Analyze certificate in PEM format openssl x509 -in cert.pem -text -noout # Check signature algorithm openssl x509 -in cert.pem -text -noout | grep "Signature Algorithm" # Expected for PQ certificates: # Signature Algorithm: ML-DSA-65 or ML-DSA-87 # Public key details openssl x509 -in cert.pem -pubkey -noout | openssl pkey -pubin -text -noout
Verify certificate chain
# Simple verification openssl verify -CAfile root-ca.crt -untrusted intermediate.crt server.crt # Verbose with error details openssl verify -verbose -CAfile root-ca.crt -untrusted intermediate.crt server.crt # Expected output on success: # server.crt: OK
Common verification errors:
| Error | Meaning | Solution |
|---|---|---|
unable to get local issuer certificate | CA certificate missing | Add Root/Intermediate CA |
certificate has expired | Certificate expired | Renew certificate |
certificate signature failure | Signature invalid | Certificate corrupted/tampered |
self signed certificate in chain | Self-signed not trusted | Add Root CA to trust store |
Key Store Errors
PQ key not found
Symptom:
PQ private key not found for certificate thumbprint: ABC123...
Diagnosis:
Windows (PowerShell):
# PQ key store path $pqKeyStore = "$env:LOCALAPPDATA\WvdS.Crypto\PqKeys" # Check existence Test-Path $pqKeyStore # List contents Get-ChildItem $pqKeyStore -ErrorAction SilentlyContinue # Check permissions Get-Acl $pqKeyStore | Format-List
Linux:
# PQ key store path PQ_KEYSTORE=~/.local/share/wvds-crypto/pqkeys # Check existence ls -la $PQ_KEYSTORE # Check permissions (should be 700) stat $PQ_KEYSTORE
Solution:
- Restore from backup
- If no backup: Re-create certificate with new key pair
FIPS Mode Errors
FIPS Provider not active
Diagnosis:
# List providers openssl list -providers # Should contain: # fips # name: OpenSSL FIPS Provider # status: active
Solution:
Enable FIPS Provider in openssl.cnf → FIPS Configuration
Algorithm not FIPS-compliant
Symptom:
error:0308010C:digital envelope routines::unsupported
Cause: Algorithm not permitted in FIPS mode.
FIPS 140-3 approved algorithms:
| Type | Approved | Not Approved |
|---|---|---|
| Signature | ML-DSA-44/65/87, RSA >=2048, ECDSA | Ed25519, Ed448 |
| KEM | ML-KEM-512/768/1024 | X25519, X448 |
| Hash | SHA-256, SHA-384, SHA-512 | MD5, SHA-1 |
| Cipher | AES-GCM | ChaCha20 |
Network Diagnostics
Test TLS connection
# TLS handshake and certificate check openssl s_client -connect server.example.com:443 -showcerts # With specific CA bundle openssl s_client -connect server.example.com:443 -CAfile /path/to/ca-bundle.crt # Force TLS 1.3 openssl s_client -connect server.example.com:443 -tls1_3
Retrieve certificate from server
# Download and save certificate openssl s_client -connect server.example.com:443 < /dev/null 2>/dev/null | \ openssl x509 -outform PEM > server.crt # Analyze certificate openssl x509 -in server.crt -text -noout
Log Analysis
OpenSSL error codes
# Look up error code openssl errstr 0308010C # Show all recent errors (if in debug mode) openssl errstr
Check Windows Event Log
# Cryptography-related events Get-EventLog -LogName Application -Source "*Crypto*" -Newest 20 # .NET Runtime errors Get-EventLog -LogName Application -Source ".NET Runtime" -Newest 10 -EntryType Error
Check Linux Syslog
# OpenSSL-related entries journalctl | grep -i openssl | tail -20 # .NET Runtime errors journalctl | grep -i dotnet | tail -20
Further Reading
- Installation – Correct setup
- Configuration – FIPS mode, paths
- Operations – Health checks, certificates
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
Zuletzt geändert: on 2026/01/29 at 11:12 PM
