I'm not an SSL expert, and probably only a few people on this list are, but
my hunch is you are doing something wrong with your config and the
"honorCipherOrder: true" property of your opetions objet is causing it to
show up in node.js when it didn't in openssl s_server.
That hex blob the client dumped probably has the answer in it, but
wireshark can make it easy to see what ciphers the client actually
presents, and I suspect there is a surprise in there that either doesn't
require auth when you use the RSA client. Because I don't expect that you
can do RSA authentication with an EC certificate.
The cipher suite you might want to try is:
ECDHE-ECDSA-RC4-SHA
Cheers,
-johnny
On Thursday, April 21, 2016 at 2:01:41 PM UTC-7, Eugene Williams wrote:
>
> I've been struggling with this for a few days.
>
> We've obtained an ECC certificate using the following openssl routines:
>
> openssl ecparam -genkey -name secp521r1 | openssl ec -out ec.key
> openssl req -new -key ec.key -out ec.csr
>
>
> Upon receiving the certs, we used the following routine to generate the
> Diffie Hellman (DH) parameters for the keyfile:
>
> openssl dhparam -rand - 1024 >> ec.key
>
>
> When complete, we confirmed that the certificate could be used with
> openssl:
>
> openssl s_server -accept 8443 -cert ssl/ec.pem -key ssl/ec.key -CAfile ssl
> /ec_chain.pem
>
> and
>
> openssl s_client -tls1 -connect hostname:8443 -cipher
> 'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH' -msg
>
> This works flawlessly.
>
> When attempting to use the same certs on the same server with nodejs,
> there's no joy.
>
> Here's the general config:
>
> var options = {
> cert: fs.readFileSync('ssl/ec.pem'),
> key: fs.readFileSync('ssl/ec.key'),
> ca: fs.readFileSync('ssl/ec_chain.pem'),
> ciphers: 'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH',
> ecdhCurve: 'secp521r1',
> honorCipherOrder: true
> };
>
>
> tls.createServer(options, function() {
> }).listen(common.PORT, function() {
> console.log('Server started on port: ' + common.PORT);
> }).on('clientError', function(err){
> console.log('A failed client connection attempt occurred.');
> console.error(err);
> console.log();
> });
>
> I start the server with the following:
>
> sudo NODE_DEBUG=tls,fs,net,crypto node test-server-2.js
>
>
> NET: 21217 listen2 0.0.0.0 8443 4 false
> NET: 21217 _listen2: create a handle
> NET: 21217 bind to 0.0.0.0
> Server started on port: 8443
>
> but when trying to connect to this server using openssl, I'm seeing the
> following in the server logs:
>
> s_client -tls1 -connect hostname:8443 -cipher
> 'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH' -msg
>
> NET: 21217 onconnection
> NET: 21217 _read
> NET: 21217 Socket._read readStart
> TLS: encrypted.read called with 16384 bytes
> TLS: encrypted.read succeed with 0 bytes
> TLS: onhandshakestart
> TLS: encrypted.read called with 16384 bytes
> TLS: encrypted.read succeed with 0 bytes
> NET: 21217 onread undefined 0 115 115
> NET: 21217 got data
> NET: 21217 _read
> TLS: encrypted.write called with 115 bytes
> TLS: cleartext.read called with 16384 bytes
> TLS: SecurePair.destroy
> TLS: cleartext.destroy
> TLS: encrypted.destroy
> A failed client connection attempt occurred.
> [Error: 140230049531904:error:1408A10B:SSL
> routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:993:]
> ...
>
> and this in the client:
>
> CONNECTED(00000003)
> >>> ??? [length 0005]
> 16 03 01 00 a1
> >>> TLS 1.0 Handshake [length 00a1], ClientHello
> 01 00 00 9d 03 01 59 bd 15 7a 3a 4b fe fc b2 41
> 36 9b cd ca 38 7f 5f af de 36 53 1d ec a4 02 d2
> 9e a2 8e 6a 10 3f 00 00 42 c0 11 c0 07 c0 0c c0
> 02 00 05 c0 14 c0 0a 00 37 00 36 00 86 00 85 c0
> 0f c0 05 00 35 00 84 c0 13 c0 09 00 31 00 30 00
> 43 00 42 c0 0e c0 04 00 2f 00 41 c0 12 c0 08 00
> 10 00 0d c0 0d c0 03 00 0a 00 ff 02 01 00 00 31
> 00 0b 00 04 03 00 01 02 00 0a 00 1c 00 1a 00 17
> 00 19 00 1c 00 1b 00 18 00 1a 00 16 00 0e 00 0d
> 00 0b 00 0c 00 09 00 0a 00 23 00 00 00 0f 00 01
> 01
> 140735256072272:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake
> failure:s3_pkt.c:656:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 0 bytes and written 0 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
> Protocol : TLSv1
> Cipher : 0000
> ...
>
> and the connection is never made.
>
> Can anyone provide guidance with this?
>
--
Job board: http://jobs.nodejs.org/
New group rules:
https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/nodejs/246c9a1a-4ca1-4636-aea7-ecc30e681548%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
