Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERL-368: How to use ecdh self-signed cert in R19.2 ssl app #3450

Closed
OTP-Maintainer opened this issue Feb 27, 2017 · 8 comments
Closed

ERL-368: How to use ecdh self-signed cert in R19.2 ssl app #3450

OTP-Maintainer opened this issue Feb 27, 2017 · 8 comments
Labels
not a bug Issue is determined as not a bug by OTP priority:medium

Comments

@OTP-Maintainer
Copy link

Original reporter: botanyzh
Affected version: OTP-19.2
Component: ssl
Migrated from: https://bugs.erlang.org/browse/ERL-368

Hi !  
With so many search In vain,
I  can’t find the  actual  example  through google  , and  I failed again and again  with many procedures

*First  to  generate key  csr and crts*

*Root CA some like below*
{code}openssl genrsa -out CA.key.pem 2048
openssl req -x509 -new -nodes -key ca.key.pem -days 365 -out ca.cert.pem


openssl genpkey -genparam -algorithm EC -out ecdh.pem \
                                        -pkeyopt ec_paramgen_curve:brainpoolP512r1

openssl req   -nodes  -new -newkey ec:ecdh.pem   -keyout  1ecdh.key.pem -out 1ecdh.csr.pem{code}


*sign*

{code}openssl ca -in 1ecdh.csr.pem  -out 1ecdh.crt.pem -config $CONF_FILE{code}


and  finally  I  get  8 files   for 2 nodes to  connect each other
ca.cert.pem
ecdh.pem
1ecdh.key.pem
1ecdh.csr.pem
1ecdh.crt.pem
2ecdh.key.pem
2ecdh.csr.pem
2ecdh.crt.pem

*baseOptions  from  app  gen_rpc*
{code:erlang}-define(SSL_DEFAULT_COMMON_OPTS, [binary,
        {packet,0},
        {header,0},
        {exit_on_close,true},
        {nodelay,true}, % Send our requests immediately
        {send_timeout_close,true}, % When the socket times out, close the connection
        {delay_send,false}, % Scheduler should favor timely delivery
        {linger,{true,2}}, % Allow the socket to flush outgoing data for 2" before closing it - useful for casts
        {reuseaddr,true}, % Reuse local port numbers
        {keepalive,true}, % Keep our channel open
        {tos,72}, % Deliver immediately
        {active,false},
        %% SSL options
        {ciphers,["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
                  "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384","ECDHE-ECDSA-DES-CBC3-SHA",
                  "ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
                  "ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384","DHE-DSS-AES256-SHA256",
                  "AES256-GCM-SHA384","AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
                  "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256",
                  "ECDH-ECDSA-AES128-GCM-SHA256","ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
                  "ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256","DHE-DSS-AES128-SHA256","AES128-GCM-SHA256",
                  "AES128-SHA256","ECDHE-ECDSA-AES256-SHA","ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
                  "ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA","AES256-SHA","ECDHE-ECDSA-AES128-SHA",
                  "ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA","AES128-SHA"]},
        {secure_renegotiate,true},
        {reuse_sessions,true},
        {versions,['tlsv1.2','tlsv1.1']},
        {verify,verify_peer},
        {hibernate_after,600000},
        {active,false}]).

-define(SSL_DEFAULT_SERVER_OPTS, [{fail_if_no_peer_cert,true},
        {log_alert,false},
        {honor_cipher_order,true},
        {client_renegotiation,true}]).

-define(SSL_DEFAULT_CLIENT_OPTS, [{server_name_indication,disable},
        {depth,99}]).{code}


And  extra options 
            {code:erlang}ssl_client_options: [
            certfile: certfile,
            keyfile: keyfile,
            cacertfile: './priv/ssl/ca.cert.pem',
            eccs: [:brainpoolP512r1]
          
            ],
        ssl_server_options: [
            certfile: certfile,
            keyfile: keyfile,
            cacertfile: './priv/ssl/ca.cert.pem',
            eccs: [:brainpoolP512r1]
        
        ],{code}

The two node are both in one centos system 
And   when I try to ssl:connect/4 , i  get such  error  below:

{code}“ tls_connection.erl:704:Fatal error: handshake failure - malformed_handshake_data”;

{tls_alert,"handshake failure"};{code}

And   when I try to  openssl s_client with error  below:
{code}openssl s_client -connect 192.168.212.173:5370  -cert 2.crt.pem -key 2.key.pem   -CAfile ca.cert.pem -cipher ECDH-RSA-AES256-GCM-SHA384  -debug
CONNECTED(00000003)
depth=1 C = CN, ST = cq, L = cq, O = s, OU = p, CN = botanyzh, emailAddress = botanyzh@live.cn
verify return:1
depth=0 C = US, ST = Uniden, L = 00abcdef1234, O = sprt, OU = potato, CN = rpslc_1@192.168.212.173, emailAddress = botanyzh@live.cn
verify return:1
140467656820416:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40
140467656820416:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

With extra  “-debug”
write to 0x159aa30 [0x15acb00] (6 bytes => -1 (0xFFFFFFFFFFFFFFFF))
write:errno=32{code}


Please help me

*about the  source*
the ecdh cert seems is not usable for otp's ssl
when i debuged i found that the ssl_connection:handle_peer_cert_key/5 call to public_key :generate_key/1 can never match

the public_key's interface is
{code:erlang}generate_key(#'DHParameter'{prime = P, base = G}) ->
crypto:generate_key(dh, [P, G]);
generate_key({namedCurve, _} = Params) ->
ec_generate_key(Params);
generate_key(#'ECParameters'{} = Params) ->
ec_generate_key(Params).{code}

but the arg called is {ecParameters, 'ECParameters'{} = Params}
@OTP-Maintainer
Copy link
Author

lukas said:

Hello,

bugs.erlang.org is not the correct place to ask questions about how to work with Erlang/OTP. Please direct you question to the erlang-questions mailing-list instead, where your question will get more attention from people that know how to work with the erlang ssl stack.

http://erlang.org/mailman/listinfo/erlang-questions

Lukas

@OTP-Maintainer
Copy link
Author

botanyzh said:

last week  i had send the  email  but no reponse at all:(

@OTP-Maintainer
Copy link
Author

lukas said:

I can't find any mail related to this in the archives, are you sure that it arrived?

@OTP-Maintainer
Copy link
Author

botanyzh said:

i  send it  throuth  MS's  outlook email

@OTP-Maintainer
Copy link
Author

lukas said:

I don't know what may be wrong, but the e-mail did not arrive. Please contact the  mailman@erlang.org (as mentioned here: http://erlang.org/mailman/listinfo/) to figure out what went wrong.

@OTP-Maintainer
Copy link
Author

botanyzh said:

thanks i am going to find out  what's wrong

@OTP-Maintainer
Copy link
Author

botanyzh said:

i found the problem 
i had ever Unsubscribing from erlang-questions mail list

now  i can receive  the "erlang-questions awaits moderator approval"  email

@OTP-Maintainer
Copy link
Author

botanyzh said:

Even i  succussfully  send the problem email  ,still  got  no one responsed to it

@OTP-Maintainer OTP-Maintainer added not a bug Issue is determined as not a bug by OTP priority:medium labels Feb 10, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
not a bug Issue is determined as not a bug by OTP priority:medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@OTP-Maintainer