New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ECC Certificate (ECDSA) fails in built-in web-server #353

Closed
jakepez opened this Issue Mar 20, 2017 · 4 comments

Comments

Projects
None yet
2 participants
@jakepez

jakepez commented Mar 20, 2017

Using a Let's Encrypt ECC cert for TLS fails. The NGBGet server process listens on the TLS port, but browsers show an ERR_SSL_VERSION_OR_CIPHER_MISMATCH error when negotiating the connection.

Openssl doesn't ever see the server certificate in the negotiation:

CONNECTED(00000003)
140736822842376:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1489980450
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
@hugbug

This comment has been minimized.

Member

hugbug commented Mar 20, 2017

Are you sure you are connecting to correct port?

Can you please verify that when you use a self-signed certificate from http://www.selfsignedcertificate.com/ it works? This is to ensure the problem occurs only with let's encrypt certificates and is not a general one.

Once verified I would need a certificate to test with. Can you provide me with one? That would be a great help.

More info about your system may help too:

  • your OS?
  • how NZBGet was installed: using official installer from nzbget web-site, self-compiled, from other repository?
@jakepez

This comment has been minimized.

jakepez commented Mar 20, 2017

Yes, port is correct.

Platform: QNap - installed first from QNap package, since upgraded using the upgrade option wishing nzbget to the current beta build.

The issue actually only occurs when using an ECC cert from Let's Encrypt. RSA certificates (just like self-signed) work fine. You can create certs directly from Let's Encrypt using a client like acme.sh to test with.
https://github.com/Neilpang/acme.sh

RSA cert (requires port 80 open): acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com
ECC cert (requires port 80 open): acme.sh --issue -w /home/wwwroot/example.com -d example.com --keylength ec-256

I wasn't able to figure out how to enable debugging to see if anything is thrown on the server side error wise. If you can share how to enable, I can collect that information as well to trace what might be failing on the listener.

@hugbug

This comment has been minimized.

Member

hugbug commented Mar 20, 2017

If you can send me a test certificate to nzbget@gmail.com that would speed up my test significantly. Thanks.

@hugbug hugbug changed the title from Let's Encrypt ECC Certificate (ECDSA) fails to ECC Certificate (ECDSA) fails in built-in web-server Mar 21, 2017

@hugbug hugbug added the improvement label Mar 21, 2017

@hugbug hugbug added this to the v19 milestone Mar 21, 2017

@jakepez

This comment has been minimized.

jakepez commented Mar 22, 2017

Fixed in testing r1928.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment