ssl3_get_server_certificate:wrong certificate type (gost https server)

[denizzzka]

Setup:

$ cat /etc/ssl/openssl.cnf
[...]
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)

openssl_conf = openssl_def

[ new_oids ]

[..]

[openssl_def]
engines = engine_section

[engine_section]
gost = gost_section

[gost_section]
engine_id = gost
#soft_load=1
default_algorithms = ALL
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
/EOF

Checking:

$ curl -v https://zakupki.gov.ru/pgz/services/upload
* Hostname was NOT found in DNS cache
*   Trying 194.105.148.87...
* Connected to zakupki.gov.ru (194.105.148.87) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS Unknown, Unknown (22):
* SSLv3, TLS handshake, Client hello (1):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, Server hello (2):
* SSLv2, Unknown (22):
* SSLv3, TLS handshake, CERT (11):
* SSLv2, Unknown (21):
* SSLv3, TLS alert, Server hello (2):
* error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm
* Closing connection 0
* SSLv2, Unknown (21):
* SSLv3, TLS alert, Client hello (1):
curl: (35) error:0609E09C:digital envelope routines:PKEY_SET_TYPE:unsupported algorithm

$ curl --version
curl 7.38.0 (x86_64-pc-linux-gnu) libcurl/7.38.0 OpenSSL/1.0.2d zlib/1.2.8 libidn/1.29 libssh2/1.4.3 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API SPNEGO NTLM NTLM_WB SSL libz TLS-SRP 

$ openssl ciphers|tr ':' '\n'|grep GOST
GOST2001-GOST89-GOST89
GOST94-GOST89-GOST89

[iboukris]

Perhaps try to specfy the ciphers in CLI (see man).

[denizzzka]

cURL was updated:

$ curl --version
curl 7.44.0 (x86_64-pc-linux-gnu) libcurl/7.44.0 GnuTLS/3.3.17 zlib/1.2.8 libidn/1.29 libssh2/1.4.3 nghttp2/1.3.2 librtmp/2.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtmp rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets 

when:

$ curl -v --engine gost --ciphers GOST2001-GOST89-GOST89 https://zakupki.gov.ru/pgz/services/upload
curl: (4) A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

Hmmm

$ curl --engine list
Build-time engines:
  <none>

$ openssl engine
(dynamic) Dynamic engine loading support
(gost) Reference implementation of GOST engine

$ openssl s_client -connect zakupki.gov.ru:443
[...]
SSL-Session:
    Protocol  : TLSv1
    Cipher    : GOST2001-GOST89-GOST89
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 516E6E94EF26EA04FCB94F648D6063D6261753E785D6D7B617ADBE93A34B68015CF66691BF88D5CC3E0298C84A05FD7B
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1442856403
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---

[denizzzka]

curl: (4) A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

[denizzzka]

Sorry, it is me again

On latest version of a cURL I am catched error:
SSL routines:ssl3_get_server_certificate:wrong certificate type

$ ./src/curl -v -k --engine gost https://zakupki.gov.ru/pgz/services/upload
* set default crypto engine 'gost'
* STATE: INIT => CONNECT handle 0x743028; line 1090 (connection #-5000) 
* Added connection 0. The cache now contains 1 members
*   Trying 194.105.148.87...
* STATE: CONNECT => WAITCONNECT handle 0x743028; line 1143 (connection #0) 
* Connected to zakupki.gov.ru (194.105.148.87) port 443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x743028; line 1240 (connection #0) 
* Marked for [keep alive]: HTTP default
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x743028; line 1254 (connection #0) 
* TLSv1.0 (IN), TLS handshake, Server hello (2):
* TLSv1.0 (IN), TLS handshake, Certificate (11):
* TLSv1.0 (OUT), TLS alert, Server hello (2):
* error:1409017F:SSL routines:ssl3_get_server_certificate:wrong certificate type
* Marked for [closure]: Failed HTTPS connection
* Curl_done
* Closing connection 0
* The cache now contains 0 members
* TLSv1.0 (OUT), TLS alert, Client hello (1):
* Expire cleared
curl: (35) error:1409017F:SSL routines:ssl3_get_server_certificate:wrong certificate type

But server certificate looks ok (for me)

[denizzzka]

Additional info about server cert:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 958144 (0xe9ec0)
    Signature Algorithm: GOST R 34.11-94 with GOST R 34.10-2001
[...]
        Subject Public Key Info:
            Public Key Algorithm: GOST R 34.10-2001
[...]
                Parameter set: id-GostR3410-2001-CryptoPro-XchA-ParamSet

Latest string is differs from openssl config string:

$ cat /etc/ssl/openssl.cnf |grep CRYPT_PARAMS
CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet

It is important in this case?

[denizzzka]

but with CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet openssl connection works fine:

$ openssl s_client -connect zakupki.gov.ru:443

[denizzzka]

Tried to use libcurl with same result (dlang code):

import std.net.curl;
import std.stdio;

void main()
{
    auto r = HTTP("zakupki");
    r.handle.set(etc.c.curl.CurlOption.sslengine, "gost");
    r.handle.set(etc.c.curl.CurlOption.verbose, 1);
    r.verifyPeer = false;
    r.verifyHost = false;

    string content = std.net.curl.post("https://zakupki.gov.ru/pgz/services/upload", "asd", r).idup; 

    writeln(content);
}

$ dub run
Performing "debug" build using dmd for x86_64.
zkp ~master: building configuration "production"...
Linking...
Running ./zkp 
*   Trying 194.105.148.87...
* Connected to zakupki.gov.ru (194.105.148.87) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* error:1409017F:SSL routines:ssl3_get_server_certificate:wrong certificate type
* Closing connection 0
std.net.curl.CurlException@std/net/curl.d(3705): SSL connect error on handle 1D090F0
----------------

[bagder]

To me it sounds like you need to use the openssl engine 'gost' and then you should be able to specify that as a cipher.

[denizzzka]

To me it sounds like you need to use the openssl engine 'gost'

already use it

and then you should be able to specify that as a cipher.

cipher detected by openssl automatically, probably

"SSL routines:ssl3_get_server_certificate:wrong certificate type" is error from openssl library. But in openssl CLI request works fine.