I've been struggling with this for a few days.
We've obtained an ECC certificate using the following openssl routines:
openssl ecparam -genkey -name secp521r1 | openssl ec -out ec.key
openssl req -new -key ec.key -out ec.csr
Upon receiving the certs, we used the following routine to generate the
Diffie Hellman (DH) parameters for the keyfile:
openssl dhparam -rand - 1024 >> ec.key
When complete, we confirmed that the certificate could be used with openssl:
openssl s_server -accept 8443 -cert ssl/ec.pem -key ssl/ec.key -CAfile
ssl/ec_chain.pem
and
openssl s_client -tls1 -connect hostname:8443 -cipher
'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH' -msg
This works flawlessly.
When attempting to use the same certs on the same server with nodejs,
there's no joy.
Here's the general config:
var options = {
cert: fs.readFileSync('ssl/ec.pem'),
key: fs.readFileSync('ssl/ec.key'),
ca: fs.readFileSync('ssl/ec_chain.pem'),
ciphers: 'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH',
ecdhCurve: 'secp521r1',
honorCipherOrder: true
};
tls.createServer(options, function() {
}).listen(common.PORT, function() {
console.log('Server started on port: ' + common.PORT);
}).on('clientError', function(err){
console.log('A failed client connection attempt occurred.');
console.error(err);
console.log();
});
This starts a server,
sudo NODE_DEBUG=tls,fs,net,crypto node test-server-2.js
NET: 21217 listen2 0.0.0.0 8443 4 false
NET: 21217 _listen2: create a handle
NET: 21217 bind to 0.0.0.0
Server started on port: 8443
but when trying to connect to this server using openssl, I'm seeing the
following in the server logs:
s_client -tls1 -connect hostname:8443 -cipher
'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH' -msg
NET: 21217 onconnection
NET: 21217 _read
NET: 21217 Socket._read readStart
TLS: encrypted.read called with 16384 bytes
TLS: encrypted.read succeed with 0 bytes
TLS: onhandshakestart
TLS: encrypted.read called with 16384 bytes
TLS: encrypted.read succeed with 0 bytes
NET: 21217 onread undefined 0 115 115
NET: 21217 got data
NET: 21217 _read
TLS: encrypted.write called with 115 bytes
TLS: cleartext.read called with 16384 bytes
TLS: SecurePair.destroy
TLS: cleartext.destroy
TLS: encrypted.destroy
A failed client connection attempt occurred.
[Error: 140230049531904:error:1408A10B:SSL
routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:993:
]
...
and this in the client:
CONNECTED(00000003)
>>> ??? [length 0005]
16 03 01 00 a1
>>> TLS 1.0 Handshake [length 00a1], ClientHello
01 00 00 9d 03 01 59 bd 15 7a 3a 4b fe fc b2 41
36 9b cd ca 38 7f 5f af de 36 53 1d ec a4 02 d2
9e a2 8e 6a 10 3f 00 00 42 c0 11 c0 07 c0 0c c0
02 00 05 c0 14 c0 0a 00 37 00 36 00 86 00 85 c0
0f c0 05 00 35 00 84 c0 13 c0 09 00 31 00 30 00
43 00 42 c0 0e c0 04 00 2f 00 41 c0 12 c0 08 00
10 00 0d c0 0d c0 03 00 0a 00 ff 02 01 00 00 31
00 0b 00 04 03 00 01 02 00 0a 00 1c 00 1a 00 17
00 19 00 1c 00 1b 00 18 00 1a 00 16 00 0e 00 0d
00 0b 00 0c 00 09 00 0a 00 23 00 00 00 0f 00 01
01
140735256072272:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake
failure:s3_pkt.c:656:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
...
and the connection is never made.
Can anyone provide guidance with this that will help us in getting it
loaded?
--
Job board: http://jobs.nodejs.org/
New group rules:
https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/nodejs/e1813991-5b20-474b-83b5-9460656e728b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
