Re: ECDSA and HAProxy help

2016-10-13 Thread Bryan Talbot 

> On Oct 13, 2016, at Oct 13, 3:19 PM, Thierry Fournier 
>  wrote:
> 
> 
> The negociated cipher is "AECDH-AES256-SHA", and I don't know if this
> cipher is ECDSA :) At least it seems to work.
> 
> Thierry
> 


That’s not a cipher that would normally be considered “good” to use since it 
doesn’t perform any message authentication [1].
It may (or may not) be enough to trigger the memory leak you’re looking for 
though. However, if you’d like to go with a full EC stack and use a realistic 
cipher, then get it working with one of these.


$> openssl ciphers -v 'ECDSA:!NULL'
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) 
Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) 
Mac=AEAD
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128)  Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1




1. https://en.wikipedia.org/wiki/Authenticated_encryption 



-Bryan (not a cryptographer)

Re: ECDSA and HAProxy help

2016-10-13 Thread Thierry Fournier 
Hi,

Thanks guys for the tips. I can connect to haproxy with ECDSA cipher
using the following cipher string on the OpenSSL client side:

   openssl s_client -connect 127.0.0.1:1 -cipher ECDSA:EECDH:ECDH

and this string in the haproxy configuration:

   ssl-default-bind-ciphers "ECDSA:EECDH:ECDH"

and only ECDSA certificates.

The negociated cipher is "AECDH-AES256-SHA", and I don't know if this
cipher is ECDSA :) At least it seems to work.

Thierry



On Tue, 11 Oct 2016 15:32:04 -0700
Bryan Talbot  wrote:

> 
> > On 12 Oct 2016 8:45 am, "Igor Cicimov"  > > wrote:
> > >
> > > On 11 Oct 2016 7:05 pm, "Thierry Fournier"  > > > wrote:
> > > > I'm currently trying to investigate about a little leak of memory in
> > > > the certificates loading, and I try to test ECDSA certificates and
> > > > cipher.
> > > >
> > > > I can't done this :( I don't understand anything in the ECDSA
> > > > certificate process.
> > > >
> > > > My test certificate is generated from a little chain where the root CA
> > > > is autosigned. So the root CA and the 2 intermediate are RSA
> > > > certificates. The ECDSA certificate is build with these commands:
> > > >
> > > >openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \
> > > >   $CN.ecdsa.key
> > 
> > 
> 
> 
> I ran into this as well and it turns out that s_client and s_server do not 
> seem to play nicely with curves when using -param_enc explicit and instead 
> prefer to only deal with named curves.
> 
> Encode the key params using named curve that both sides can accept and your 
> test should work.
> 
> Also, see 
> https://groups.google.com/forum/#!topic/mailing.openssl.users/Rg6yV4ccWeo 
> 
> 
> -Bryan
> 
> 
-- 
Thierry Fournier
Web Performance & Security Expert
m: +33 6 68 69 21 85  | e: thierry.fourn...@ozon.io
w: http://www.ozon.io/| b: http://blog.ozon.io/

Re: ECDSA and HAProxy help

2016-10-11 Thread Bryan Talbot 

> On 12 Oct 2016 8:45 am, "Igor Cicimov"  > wrote:
> >
> > On 11 Oct 2016 7:05 pm, "Thierry Fournier"  > > wrote:
> > > I'm currently trying to investigate about a little leak of memory in
> > > the certificates loading, and I try to test ECDSA certificates and
> > > cipher.
> > >
> > > I can't done this :( I don't understand anything in the ECDSA
> > > certificate process.
> > >
> > > My test certificate is generated from a little chain where the root CA
> > > is autosigned. So the root CA and the 2 intermediate are RSA
> > > certificates. The ECDSA certificate is build with these commands:
> > >
> > >openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \
> > >   $CN.ecdsa.key
> 
> 


I ran into this as well and it turns out that s_client and s_server do not seem 
to play nicely with curves when using -param_enc explicit and instead prefer to 
only deal with named curves.

Encode the key params using named curve that both sides can accept and your 
test should work.

Also, see 
https://groups.google.com/forum/#!topic/mailing.openssl.users/Rg6yV4ccWeo 


-Bryan

Re: ECDSA and HAProxy help

2016-10-11 Thread Igor Cicimov 
On 12 Oct 2016 8:45 am, "Igor Cicimov" 
wrote:
>
> On 11 Oct 2016 7:05 pm, "Thierry Fournier" 
wrote:
> >
> > Hi list,
> >
> > I'm currently trying to investigate about a little leak of memory in
> > the certificates loading, and I try to test ECDSA certificates and
> > cipher.
> >
> > I can't done this :( I don't understand anything in the ECDSA
> > certificate process.
> >
> > So, after many fails with HAProxy, I tried to validate the concept only
> > with openssl. I used openssl 1.0.2j.
> >
> > First I test classic RSA ciphers (I suppose that OpenSSL build its own
> > certificates ?):
> >
> >openssl s_server -accept 1 -cipher RSA
> >openssl s_client -connect 127.0.0.1:1 -cipher RSA
> >
> > That's run ! I tried with ECDSA. I ts exactily the same command but
> > with ECDSA ciphers.
> >
> >openssl s_server -accept 1 -cipher ECDSA
> >openssl s_client -connect 127.0.0.1:1 -cipher ECDSA
> >
>
> Try with more specific cipher like
>
> -cipher ECDHE-ECDSA-AES128-GCM-SHA256
>
> > That's no work. I read these error: "ssl3_get_client_hello:no shared
> > cipher". I don't understand because the server and the client are the
> > same binary, and I suppose that the cipher are obviously the same.
> >
> > I have exactly the same behaviour with haproxy (I wrote a temporary
> > path for having the detail of the handshake errors). If I load only a
> > ECDSA certificate, and I enable only the ECDSA ciphers.
> >
> > I run a tcpdump network capture, and I se that the client announce
> > the right list of ECDSA ciphers. In other way, the protocol used is TLS
> > 1.2.
> >
> >... ECDHE-ECDSA-AES128-SHA256 ... ECDHE-ECDSA-AES128-SHA ...
> >... and others ...
> >
> > My test certificate is generated from a little chain where the root CA
> > is autosigned. So the root CA and the 2 intermediate are RSA
> > certificates. The ECDSA certificate is build with these commands:
> >
> >openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \
> >   $CN.ecdsa.key

Also try with different EC like:

openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1)
-keyout cert_ecdsa.key -out cert_ecdsa.crt -days 7200 -subj 'subject'

I remember I had issues with secp higher than 384r1 when was testing ecdsa
with tomcat9. See
https://icicimov.github.io/blog/server/Tomcat9-ECDSA-Certificates-and-HTTP2/,
maybe you can find something useful. Was using curl as client for testing
though.

> >openssl req -new -key $CN.ecdsa.key -out $CN.ecdsa.csr -subj \
> >   "$SUBJECT"
> >
> >openssl x509 -req -in $CN.ecdsa.csr -CA inter2.pem -CAkey \
> >   inter2.key -CAcreateserial -out $CN.ecdsa.cert -days 50 \
> >   -sha256
> >
> > Any ideas ?
> >
> > PS: I can't neither test the DSA, but in this case, the openssl
> > s_client fail before trying to connect :) This is another story.
> >
> > Thierry
> >
> >
> > --
> > Thierry Fournier
> > m: +33 6 68 69 21 85  | e: thierry.fourn...@ozon.io
> > w: http://www.ozon.io/| b: http://blog.ozon.io/
> >

Re: ECDSA and HAProxy help

2016-10-11 Thread Igor Cicimov 
On 11 Oct 2016 7:05 pm, "Thierry Fournier"  wrote:
>
> Hi list,
>
> I'm currently trying to investigate about a little leak of memory in
> the certificates loading, and I try to test ECDSA certificates and
> cipher.
>
> I can't done this :( I don't understand anything in the ECDSA
> certificate process.
>
> So, after many fails with HAProxy, I tried to validate the concept only
> with openssl. I used openssl 1.0.2j.
>
> First I test classic RSA ciphers (I suppose that OpenSSL build its own
> certificates ?):
>
>openssl s_server -accept 1 -cipher RSA
>openssl s_client -connect 127.0.0.1:1 -cipher RSA
>
> That's run ! I tried with ECDSA. I ts exactily the same command but
> with ECDSA ciphers.
>
>openssl s_server -accept 1 -cipher ECDSA
>openssl s_client -connect 127.0.0.1:1 -cipher ECDSA
>

Try with more specific cipher like

-cipher ECDHE-ECDSA-AES128-GCM-SHA256

> That's no work. I read these error: "ssl3_get_client_hello:no shared
> cipher". I don't understand because the server and the client are the
> same binary, and I suppose that the cipher are obviously the same.
>
> I have exactly the same behaviour with haproxy (I wrote a temporary
> path for having the detail of the handshake errors). If I load only a
> ECDSA certificate, and I enable only the ECDSA ciphers.
>
> I run a tcpdump network capture, and I se that the client announce
> the right list of ECDSA ciphers. In other way, the protocol used is TLS
> 1.2.
>
>... ECDHE-ECDSA-AES128-SHA256 ... ECDHE-ECDSA-AES128-SHA ...
>... and others ...
>
> My test certificate is generated from a little chain where the root CA
> is autosigned. So the root CA and the 2 intermediate are RSA
> certificates. The ECDSA certificate is build with these commands:
>
>openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \
>   $CN.ecdsa.key
>
>openssl req -new -key $CN.ecdsa.key -out $CN.ecdsa.csr -subj \
>   "$SUBJECT"
>
>openssl x509 -req -in $CN.ecdsa.csr -CA inter2.pem -CAkey \
>   inter2.key -CAcreateserial -out $CN.ecdsa.cert -days 50 \
>   -sha256
>
> Any ideas ?
>
> PS: I can't neither test the DSA, but in this case, the openssl
> s_client fail before trying to connect :) This is another story.
>
> Thierry
>
>
> --
> Thierry Fournier
> m: +33 6 68 69 21 85  | e: thierry.fourn...@ozon.io
> w: http://www.ozon.io/| b: http://blog.ozon.io/
>

ECDSA and HAProxy help

2016-10-11 Thread Thierry Fournier 
Hi list,

I'm currently trying to investigate about a little leak of memory in
the certificates loading, and I try to test ECDSA certificates and
cipher.

I can't done this :( I don't understand anything in the ECDSA
certificate process.

So, after many fails with HAProxy, I tried to validate the concept only
with openssl. I used openssl 1.0.2j.

First I test classic RSA ciphers (I suppose that OpenSSL build its own
certificates ?):

   openssl s_server -accept 1 -cipher RSA
   openssl s_client -connect 127.0.0.1:1 -cipher RSA

That's run ! I tried with ECDSA. I ts exactily the same command but
with ECDSA ciphers.

   openssl s_server -accept 1 -cipher ECDSA
   openssl s_client -connect 127.0.0.1:1 -cipher ECDSA

That's no work. I read these error: "ssl3_get_client_hello:no shared
cipher". I don't understand because the server and the client are the
same binary, and I suppose that the cipher are obviously the same.

I have exactly the same behaviour with haproxy (I wrote a temporary
path for having the detail of the handshake errors). If I load only a
ECDSA certificate, and I enable only the ECDSA ciphers.

I run a tcpdump network capture, and I se that the client announce
the right list of ECDSA ciphers. In other way, the protocol used is TLS
1.2.

   ... ECDHE-ECDSA-AES128-SHA256 ... ECDHE-ECDSA-AES128-SHA ...
   ... and others ...

My test certificate is generated from a little chain where the root CA
is autosigned. So the root CA and the 2 intermediate are RSA
certificates. The ECDSA certificate is build with these commands:

   openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \
  $CN.ecdsa.key

   openssl req -new -key $CN.ecdsa.key -out $CN.ecdsa.csr -subj \
  "$SUBJECT" 

   openssl x509 -req -in $CN.ecdsa.csr -CA inter2.pem -CAkey \
  inter2.key -CAcreateserial -out $CN.ecdsa.cert -days 50 \
  -sha256

Any ideas ?

PS: I can't neither test the DSA, but in this case, the openssl
s_client fail before trying to connect :) This is another story.

Thierry


-- 
Thierry Fournier
m: +33 6 68 69 21 85  | e: thierry.fourn...@ozon.io
w: http://www.ozon.io/| b: http://blog.ozon.io/