Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No shared cipher #6534

Closed
MrSorcus opened this issue Aug 13, 2018 · 3 comments
Closed

No shared cipher #6534

MrSorcus opened this issue Aug 13, 2018 · 3 comments

Comments

@MrSorcus
Copy link
Contributor

Description

Doesn't work with ECC certificate (works with RSA).

Listening on example.com:443
Unhandled exception in spawn:
SSL_accept: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher (OpenSSL::SSL::Error)
  from /usr/lib/crystal/openssl/ssl/socket.cr:56:9 in 'initialize'
  from /usr/lib/crystal/openssl/ssl/socket.cr:50:5 in 'new:sync_close'
  from /usr/lib/crystal/http/server.cr:275:5 in 'handle_client'
  from /usr/lib/crystal/http/server.cr:244:11 in '->'
  from /usr/lib/crystal/fiber.cr:255:3 in 'run'
  from /usr/lib/crystal/fiber.cr:29:34 in '->'
  from ???

Steps to Reproduce

  1. Create Let's Encrypt certificate (acme.sh tool)
acme --issue --ecc --keylength ec-384 --ocsp --dns dns_knot -d example.com -d \*.example.com
  1. Write HTTP server
require "http/server"

tls = OpenSSL::SSL::Context::Server.new
tls.private_key = "private.key"
tls.certificate_chain = "fullchain.crt"

server = HTTP::Server.new do |context|
	context.response.content_type = "text/plain"
	context.response.print "Hello world!"
end

server.bind_tcp 443

server.tls = tls

puts "Listening on example.com:443"
server.listen
  1. Compile & run it
sh-4.4# crystal build ./demo.cr && ./demo
  1. Try connect to server
sh-4.4# openssl s_client -connect example.com:443

Expected behavior: Get correct TLS session.

Actual behavior:

CONNECTED(00000003)
139799504929280:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1407:SSL alert number 40
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 176 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1534157894
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Reproduces how often: Everytime

Versions

sh-4.4# crystal --version
Crystal 0.25.1 (2018-06-29)

LLVM: 6.0.0
Default target: x86_64-pc-linux-gnu

sh-4.4# openssl version
OpenSSL 1.1.0h  27 Mar 2018

sh-4.4# uname -a
Linux archlinux 4.14.59 #1-NixOS SMP Sat Jul 28 05:55:45 UTC 2018 x86_64 GNU/Linux
@MrSorcus MrSorcus mentioned this issue Aug 13, 2018
Closed
@miketheman
Copy link
Contributor

#codetriage

$ crystal --version
Crystal 0.26.1 (2018-08-27)

LLVM: 6.0.1
Default target: x86_64-apple-macosx

On version 0.26.1, the repro provides this error:

Error in demo.cr:14: undefined method 'tls=' for HTTP::Server

server.tls = tls
       ^~~

A quick rewrite to conform to 0.26.0 (see #5960 and #6533 ) is:

require "http/server"

tls = OpenSSL::SSL::Context::Server.new
tls.private_key = "private.key"
tls.certificate_chain = "fullchain.crt"

server = HTTP::Server.new do |context|
	context.response.content_type = "text/plain"
	context.response.print "Hello world!"
end

server.bind_tls "127.0.0.1", 443, tls

puts "Listening on example.com:443"
server.listen

And the subsequent verification:

$ openssl s_client -connect 127.0.0.1:443
CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
....

So it appears to be resolved. @MrSorcus I'd recommend testing in your environment with the latest release to confirm, and recommend closure.

@straight-shoota
Copy link
Member

The server doesn't crash anymore when it can't complete a TLS handshake (thats #6577).

But the real solution should establish a TLS session with ECC cert.

@MrSorcus
Copy link
Contributor Author

MrSorcus commented Sep 6, 2018

Looks like that works with 0.26.1

CONNECTED(00000003)
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=inwebse.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFdTCCBF2gAwIBAgISAxpjl3HxDiNtN8BuEqWdA+ysMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA3MjMxOTQ3MDVaFw0x
ODEwMjExOTQ3MDVaMBYxFDASBgNVBAMTC2lud2Vic2Uub3JnMHYwEAYHKoZIzj0C
AQYFK4EEACIDYgAEnryknwvwAXSUPeikFn2l01cyWnt50oQPjwNq5AaigBkoe7NZ
nVm614aHF0Q1CuQQI/KJHA1DFJlPejUI+K2IXg3gt2Sh9UTnoCbmlQF1OfuG4pFr
WGMXKgdbjhV5SxMwo4IDNTCCAzEwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQG
CCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBT6ckJq
laCTKT+J5ghhQLAcPN/K+TAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86js
oTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14
My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14
My5sZXRzZW5jcnlwdC5vcmcvMCUGA1UdEQQeMByCDSouaW53ZWJzZS5vcmeCC2lu
d2Vic2Uub3JnMBEGCCsGAQUFBwEYBAUwAwIBBTCB/gYDVR0gBIH2MIHzMAgGBmeB
DAECATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMu
bGV0c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNh
dGUgbWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFu
ZCBvbmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5
IGZvdW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMIIB
BAYKKwYBBAHWeQIEAgSB9QSB8gDwAHcAKTxRllTIOWW6qlD8WAfUt2+/WHopctyk
wwz05UVH9HgAAAFkyOVCUwAABAMASDBGAiEA1LsYWE24A4GbRxklqAVHoC63tMyS
iej+tS+0EkLTtYsCIQDFKWfV534PzWEcYRyn4f0D5osOLbjE4nluYyqpIklPTgB1
AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kTAAABZMjlQogAAAQDAEYw
RAIgYmSL1DfN0KCiGVB4hi1ZGytqtliVMIJdfXLA8fIkCwgCIFRmhfIDauIe101F
M1HU2F2+Dn2qIIiwaL14C7uNEh93MA0GCSqGSIb3DQEBCwUAA4IBAQB2EfVMuQOk
1WKbZHTW5mkep0fP5DFg9wGeVuU+5TYe5da1hqvjO3D8vCdD2HynqPKDcFDrKGHr
6lvAuZ6u/KIpxQBEhPo5MECHVPkdj50c0vuK83TV8FW9MDw+cspS9HFF6I8hbCE9
6Br7lkfcUzTEJJeaEIGk5G7ayIPelufS2J4vfydlG079fwOOkki7dEF2rUfaWtvo
qZbUP83aHqfrGXlX+IkId1xQcQupf+M1By0+rZmLwFqtkDQnysN3/fj+4dmwFIFJ
MX2vURTaXmt5uMIi8fPzcdMu3A+ctCVnfTwbX7wO4QruTFLtqZ2tenqVtVja26WO
aN80Qd2Rzu4G
-----END CERTIFICATE-----
subject=/CN=inwebse.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3074 bytes and written 294 bytes
Verification error: unable to get local issuer certificate
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
Server public key is 384 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-CHACHA20-POLY1305
    Session-ID: 990251EAA6D7B518C777F9EB5E84A059A05A0B60003979572511A8F9092BBE03
    Session-ID-ctx: 
    Master-Key: F71FA7CEA6546DD429C456E848DC9E73C71C6D2EC7619D8E559A0D0286C0B60AEB87BB22FC52ABF208C1B436A6702CC0
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - fb 53 d8 d9 3d 47 16 7a-f6 18 15 11 ae f8 85 ec   .S..=G.z........
    0010 - 1d 60 f9 cb f9 f8 ba 9e-bf 3b 8a 01 8a c3 24 da   .`.......;....$.
    0020 - 6a 2d 77 d8 f3 f6 4e 3e-e4 77 87 a3 db 7c 28 52   j-w...N>.w...|(R
    0030 - 75 c0 28 b2 ce c1 9d d6-df 05 2b 1e 17 30 25 fb   u.(.......+..0%.
    0040 - 55 02 8f 0c 77 e6 7f f3-60 10 46 78 87 de 8b 5b   U...w...`.Fx...[
    0050 - 5f 92 6b a2 4f 0a f3 93-53 cf 43 0b d6 56 5f b2   _.k.O...S.C..V_.
    0060 - 09 de 5c db 10 10 e3 76-29 16 4e ca 0b 2c f2 30   ..\....v).N..,.0
    0070 - 2d 32 29 48 05 b1 5c ae-7d c5 7c 7a 9f 17 ba 66   -2)H..\.}.|z...f
    0080 - c5 54 43 38 63 c3 98 d2-21 03 c6 09 c0 32 95 07   .TC8c...!....2..
    0090 - 19 2e ca d8 d4 b7 ad de-48 ab 01 e7 8f ec ae f2   ........H.......

    Start Time: 1536228029
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
    Extended master secret: yes
---

@RX14 RX14 closed this as completed Sep 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@straight-shoota @miketheman @RX14 @MrSorcus