Yes, sorry for my ramblings, it was late and there was information I
totally left off that would have made the last part of the comment make
actual sense..
The end of my comment is the important part about changing your cipher
suite.
You see, you used the option "-cipher
'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH" in your openssl s_client
command. Problem is, your certificate is an EC, not RSA, and your cipher
suite you're putting up front is ECDHE-RSA-RC4-SHA. The cipher suite
specification for openssl can be unintuitive and I certainly haven't read
the docs to know enough to determine precisely what is meant by your
argument string. I would expect this string to include everything RSA and
everything considered "HIGH" while discounting all aNULL EDH and MD5
suites... but I'm not sure what effect putting ECDHE-RSA-RC4-SHA right up
front has.
So my suggestion was to change ECDHE-RSA-RC4-SHA to ECDHE-ECDSA-RC4-SHA,
because that's probably what you wanted in the first place. ECDHE is the
key-exchange algorithm, NOT the certificate public key's signing algorithm
(for auth). Your certificate probably has the value "Elliptic Curve
Public Key" in the Algorithm section of your "Public Key Info" section
(based on how you created the private key). The EC key can't do RSA, but
it can do ECDSA. That's why you need a cipher suite with ECDHE-ECDSA-*
Cheers,
-johnny
On Friday, April 22, 2016 at 4:15:39 PM UTC-7, Eugene Williams wrote:
>
> Thanks for the comment Johnny. It's a good idea to install wireshark. I'll
> do that and run some tests. Changing the "honorCipherOrder" parameter had
> no effect.
>
> -Eugene
>
> On Thursday, April 21, 2016 at 9:46:24 PM UTC-7, johnny somethingerman
> wrote:
>>
>> I'm not an SSL expert, and probably only a few people on this list are,
>> but my hunch is you are doing something wrong with your config and the
>> "honorCipherOrder: true" property of your opetions objet is causing it to
>> show up in node.js when it didn't in openssl s_server.
>>
>> That hex blob the client dumped probably has the answer in it, but
>> wireshark can make it easy to see what ciphers the client actually
>> presents, and I suspect there is a surprise in there that either doesn't
>> require auth when you use the RSA client. Because I don't expect that you
>> can do RSA authentication with an EC certificate.
>>
>> The cipher suite you might want to try is:
>>
>> ECDHE-ECDSA-RC4-SHA
>>
>> Cheers,
>> -johnny
>>
>> On Thursday, April 21, 2016 at 2:01:41 PM UTC-7, Eugene Williams wrote:
>>>
>>> I've been struggling with this for a few days.
>>>
>>> We've obtained an ECC certificate using the following openssl routines:
>>>
>>> openssl ecparam -genkey -name secp521r1 | openssl ec -out ec.key
>>> openssl req -new -key ec.key -out ec.csr
>>>
>>>
>>> Upon receiving the certs, we used the following routine to generate the
>>> Diffie Hellman (DH) parameters for the keyfile:
>>>
>>> openssl dhparam -rand - 1024 >> ec.key
>>>
>>>
>>> When complete, we confirmed that the certificate could be used with
>>> openssl:
>>>
>>> openssl s_server -accept 8443 -cert ssl/ec.pem -key ssl/ec.key -CAfile
>>> ssl/ec_chain.pem
>>>
>>> and
>>>
>>> openssl s_client -tls1 -connect hostname:8443 -cipher
>>> 'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH' -msg
>>>
>>> This works flawlessly.
>>>
>>> When attempting to use the same certs on the same server with nodejs,
>>> there's no joy.
>>>
>>> Here's the general config:
>>>
>>> var options = {
>>> cert: fs.readFileSync('ssl/ec.pem'),
>>> key: fs.readFileSync('ssl/ec.key'),
>>> ca: fs.readFileSync('ssl/ec_chain.pem'),
>>> ciphers: 'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH',
>>> ecdhCurve: 'secp521r1',
>>> honorCipherOrder: true
>>> };
>>>
>>>
>>> tls.createServer(options, function() {
>>> }).listen(common.PORT, function() {
>>> console.log('Server started on port: ' + common.PORT);
>>> }).on('clientError', function(err){
>>> console.log('A failed client connection attempt occurred.');
>>> console.error(err);
>>> console.log();
>>> });
>>>
>>> I start the server with the following:
>>>
>>> sudo NODE_DEBUG=tls,fs,net,crypto node test-server-2.js
>>>
>>>
>>> NET: 21217 listen2 0.0.0.0 8443 4 false
>>> NET: 21217 _listen2: create a handle
>>> NET: 21217 bind to 0.0.0.0
>>> Server started on port: 8443
>>>
>>> but when trying to connect to this server using openssl, I'm seeing the
>>> following in the server logs:
>>>
>>> s_client -tls1 -connect hostname:8443 -cipher
>>> 'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH' -msg
>>>
>>> NET: 21217 onconnection
>>> NET: 21217 _read
>>> NET: 21217 Socket._read readStart
>>> TLS: encrypted.read called with 16384 bytes
>>> TLS: encrypted.read succeed with 0 bytes
>>> TLS: onhandshakestart
>>> TLS: encrypted.read called with 16384 bytes
>>> TLS: encrypted.read succeed with 0 bytes
>>> NET: 21217 onread undefined 0 115 115
>>> NET: 21217 got data
>>> NET: 21217 _read
>>> TLS: encrypted.write called with 115 bytes
>>> TLS: cleartext.read called with 16384 bytes
>>> TLS: SecurePair.destroy
>>> TLS: cleartext.destroy
>>> TLS: encrypted.destroy
>>> A failed client connection attempt occurred.
>>> [Error: 140230049531904:error:1408A10B:SSL
>>> routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:993:]
>>> ...
>>>
>>> and this in the client:
>>>
>>> CONNECTED(00000003)
>>> >>> ??? [length 0005]
>>> 16 03 01 00 a1
>>> >>> TLS 1.0 Handshake [length 00a1], ClientHello
>>> 01 00 00 9d 03 01 59 bd 15 7a 3a 4b fe fc b2 41
>>> 36 9b cd ca 38 7f 5f af de 36 53 1d ec a4 02 d2
>>> 9e a2 8e 6a 10 3f 00 00 42 c0 11 c0 07 c0 0c c0
>>> 02 00 05 c0 14 c0 0a 00 37 00 36 00 86 00 85 c0
>>> 0f c0 05 00 35 00 84 c0 13 c0 09 00 31 00 30 00
>>> 43 00 42 c0 0e c0 04 00 2f 00 41 c0 12 c0 08 00
>>> 10 00 0d c0 0d c0 03 00 0a 00 ff 02 01 00 00 31
>>> 00 0b 00 04 03 00 01 02 00 0a 00 1c 00 1a 00 17
>>> 00 19 00 1c 00 1b 00 18 00 1a 00 16 00 0e 00 0d
>>> 00 0b 00 0c 00 09 00 0a 00 23 00 00 00 0f 00 01
>>> 01
>>> 140735256072272:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl
>>> handshake failure:s3_pkt.c:656:
>>> ---
>>> no peer certificate available
>>> ---
>>> No client certificate CA names sent
>>> ---
>>> SSL handshake has read 0 bytes and written 0 bytes
>>> ---
>>> New, (NONE), Cipher is (NONE)
>>> Secure Renegotiation IS NOT supported
>>> Compression: NONE
>>> Expansion: NONE
>>> No ALPN negotiated
>>> SSL-Session:
>>> Protocol : TLSv1
>>> Cipher : 0000
>>> ...
>>>
>>> and the connection is never made.
>>>
>>> Can anyone provide guidance with this?
>>>
>>
--
Job board: http://jobs.nodejs.org/
New group rules:
https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/nodejs/699b3d2e-5179-41d0-818c-6b98ede39906%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
