Thanks again for the suggestion Johnny.
I updated the server configuration with the new cipher suite. The final
setup is:
var ciphersall =
'ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK'
;
var options = {
cert: [fs.readFileSync('ssl/GEOTRUST_rsa_full.pem'),fs.readFileSync(
'ssl/COMODO_ecc_full.pem')],
key: [fs.readFileSync('ssl/GEOTRUST_rsa.key'),fs.readFileSync(
'ssl/COMODO_ecc.key')],
ca: fs.readFileSync('ssl/COMODO-GEOTRUST_chain.pem')
, ciphers: ciphersall
, ecdhCurve: 'secp521r1'
, honorCipherOrder: true
};
But I'm still getting errors:
SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
Not sure how to handle it from here. I feel as though I've tried everything
I know to do. It's as though nodejs doesn't understand how to begin the
conversation - initial handshake is fine, beyond that, no luck. I tested
again using the same certs with the openssl on the same server, works fine,
so I'm trusting nothing is wrong with the actual certs or the keys.
-Eugene
On Friday, April 22, 2016 at 9:12:01 PM UTC-7, johnny somethingerman wrote:
>
> Yes, sorry for my ramblings, it was late and there was information I
> totally left off that would have made the last part of the comment make
> actual sense..
>
> The end of my comment is the important part about changing your cipher
> suite.
>
> You see, you used the option "-cipher
> 'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH" in your openssl s_client
> command. Problem is, your certificate is an EC, not RSA, and your cipher
> suite you're putting up front is ECDHE-RSA-RC4-SHA. The cipher suite
> specification for openssl can be unintuitive and I certainly haven't read
> the docs to know enough to determine precisely what is meant by your
> argument string. I would expect this string to include everything RSA and
> everything considered "HIGH" while discounting all aNULL EDH and MD5
> suites... but I'm not sure what effect putting ECDHE-RSA-RC4-SHA right up
> front has.
>
> So my suggestion was to change ECDHE-RSA-RC4-SHA to ECDHE-ECDSA-RC4-SHA,
> because that's probably what you wanted in the first place. ECDHE is the
> key-exchange algorithm, NOT the certificate public key's signing algorithm
> (for auth). Your certificate probably has the value "Elliptic Curve
> Public Key" in the Algorithm section of your "Public Key Info" section
> (based on how you created the private key). The EC key can't do RSA, but
> it can do ECDSA. That's why you need a cipher suite with ECDHE-ECDSA-*
>
> Cheers,
> -johnny
>
> On Friday, April 22, 2016 at 4:15:39 PM UTC-7, Eugene Williams wrote:
>>
>> Thanks for the comment Johnny. It's a good idea to install wireshark.
>> I'll do that and run some tests. Changing the "honorCipherOrder" parameter
>> had no effect.
>>
>> -Eugene
>>
>> On Thursday, April 21, 2016 at 9:46:24 PM UTC-7, johnny somethingerman
>> wrote:
>>>
>>> I'm not an SSL expert, and probably only a few people on this list are,
>>> but my hunch is you are doing something wrong with your config and the
>>> "honorCipherOrder: true" property of your opetions objet is causing it to
>>> show up in node.js when it didn't in openssl s_server.
>>>
>>> That hex blob the client dumped probably has the answer in it, but
>>> wireshark can make it easy to see what ciphers the client actually
>>> presents, and I suspect there is a surprise in there that either doesn't
>>> require auth when you use the RSA client. Because I don't expect that you
>>> can do RSA authentication with an EC certificate.
>>>
>>> The cipher suite you might want to try is:
>>>
>>> ECDHE-ECDSA-RC4-SHA
>>>
>>> Cheers,
>>> -johnny
>>>
>>> On Thursday, April 21, 2016 at 2:01:41 PM UTC-7, Eugene Williams wrote:
>>>>
>>>> I've been struggling with this for a few days.
>>>>
>>>> We've obtained an ECC certificate using the following openssl routines:
>>>>
>>>> openssl ecparam -genkey -name secp521r1 | openssl ec -out ec.key
>>>> openssl req -new -key ec.key -out ec.csr
>>>>
>>>>
>>>> Upon receiving the certs, we used the following routine to generate the
>>>> Diffie Hellman (DH) parameters for the keyfile:
>>>>
>>>> openssl dhparam -rand - 1024 >> ec.key
>>>>
>>>>
>>>> When complete, we confirmed that the certificate could be used with
>>>> openssl:
>>>>
>>>> openssl s_server -accept 8443 -cert ssl/ec.pem -key ssl/ec.key -CAfile
>>>> ssl/ec_chain.pem
>>>>
>>>> and
>>>>
>>>> openssl s_client -tls1 -connect hostname:8443 -cipher
>>>> 'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH' -msg
>>>>
>>>> This works flawlessly.
>>>>
>>>> When attempting to use the same certs on the same server with nodejs,
>>>> there's no joy.
>>>>
>>>> Here's the general config:
>>>>
>>>> var options = {
>>>> cert: fs.readFileSync('ssl/ec.pem'),
>>>> key: fs.readFileSync('ssl/ec.key'),
>>>> ca: fs.readFileSync('ssl/ec_chain.pem'),
>>>> ciphers: 'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH',
>>>> ecdhCurve: 'secp521r1',
>>>> honorCipherOrder: true
>>>> };
>>>>
>>>>
>>>> tls.createServer(options, function() {
>>>> }).listen(common.PORT, function() {
>>>> console.log('Server started on port: ' + common.PORT);
>>>> }).on('clientError', function(err){
>>>> console.log('A failed client connection attempt occurred.');
>>>> console.error(err);
>>>> console.log();
>>>> });
>>>>
>>>> I start the server with the following:
>>>>
>>>> sudo NODE_DEBUG=tls,fs,net,crypto node test-server-2.js
>>>>
>>>>
>>>> NET: 21217 listen2 0.0.0.0 8443 4 false
>>>> NET: 21217 _listen2: create a handle
>>>> NET: 21217 bind to 0.0.0.0
>>>> Server started on port: 8443
>>>>
>>>> but when trying to connect to this server using openssl, I'm seeing the
>>>> following in the server logs:
>>>>
>>>> s_client -tls1 -connect hostname:8443 -cipher
>>>> 'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH' -msg
>>>>
>>>> NET: 21217 onconnection
>>>> NET: 21217 _read
>>>> NET: 21217 Socket._read readStart
>>>> TLS: encrypted.read called with 16384 bytes
>>>> TLS: encrypted.read succeed with 0 bytes
>>>> TLS: onhandshakestart
>>>> TLS: encrypted.read called with 16384 bytes
>>>> TLS: encrypted.read succeed with 0 bytes
>>>> NET: 21217 onread undefined 0 115 115
>>>> NET: 21217 got data
>>>> NET: 21217 _read
>>>> TLS: encrypted.write called with 115 bytes
>>>> TLS: cleartext.read called with 16384 bytes
>>>> TLS: SecurePair.destroy
>>>> TLS: cleartext.destroy
>>>> TLS: encrypted.destroy
>>>> A failed client connection attempt occurred.
>>>> [Error: 140230049531904:error:1408A10B:SSL
>>>> routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:993:]
>>>> ...
>>>>
>>>> and this in the client:
>>>>
>>>> CONNECTED(00000003)
>>>> >>> ??? [length 0005]
>>>> 16 03 01 00 a1
>>>> >>> TLS 1.0 Handshake [length 00a1], ClientHello
>>>> 01 00 00 9d 03 01 59 bd 15 7a 3a 4b fe fc b2 41
>>>> 36 9b cd ca 38 7f 5f af de 36 53 1d ec a4 02 d2
>>>> 9e a2 8e 6a 10 3f 00 00 42 c0 11 c0 07 c0 0c c0
>>>> 02 00 05 c0 14 c0 0a 00 37 00 36 00 86 00 85 c0
>>>> 0f c0 05 00 35 00 84 c0 13 c0 09 00 31 00 30 00
>>>> 43 00 42 c0 0e c0 04 00 2f 00 41 c0 12 c0 08 00
>>>> 10 00 0d c0 0d c0 03 00 0a 00 ff 02 01 00 00 31
>>>> 00 0b 00 04 03 00 01 02 00 0a 00 1c 00 1a 00 17
>>>> 00 19 00 1c 00 1b 00 18 00 1a 00 16 00 0e 00 0d
>>>> 00 0b 00 0c 00 09 00 0a 00 23 00 00 00 0f 00 01
>>>> 01
>>>> 140735256072272:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl
>>>> handshake failure:s3_pkt.c:656:
>>>> ---
>>>> no peer certificate available
>>>> ---
>>>> No client certificate CA names sent
>>>> ---
>>>> SSL handshake has read 0 bytes and written 0 bytes
>>>> ---
>>>> New, (NONE), Cipher is (NONE)
>>>> Secure Renegotiation IS NOT supported
>>>> Compression: NONE
>>>> Expansion: NONE
>>>> No ALPN negotiated
>>>> SSL-Session:
>>>> Protocol : TLSv1
>>>> Cipher : 0000
>>>> ...
>>>>
>>>> and the connection is never made.
>>>>
>>>> Can anyone provide guidance with this?
>>>>
>>>
--
Job board: http://jobs.nodejs.org/
New group rules:
https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/nodejs/4592e736-f90d-495e-89c0-beeba97d6a01%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
