Thanks for the comment Johnny. It's a good idea to install wireshark. I'll
do that and run some tests. Changing the "honorCipherOrder" parameter had
no effect.
-Eugene
On Thursday, April 21, 2016 at 9:46:24 PM UTC-7, johnny somethingerman
wrote:
>
> I'm not an SSL expert, and probably only a few people on this list are,
> but my hunch is you are doing something wrong with your config and the
> "honorCipherOrder: true" property of your opetions objet is causing it to
> show up in node.js when it didn't in openssl s_server.
>
> That hex blob the client dumped probably has the answer in it, but
> wireshark can make it easy to see what ciphers the client actually
> presents, and I suspect there is a surprise in there that either doesn't
> require auth when you use the RSA client. Because I don't expect that you
> can do RSA authentication with an EC certificate.
>
> The cipher suite you might want to try is:
>
> ECDHE-ECDSA-RC4-SHA
>
> Cheers,
> -johnny
>
> On Thursday, April 21, 2016 at 2:01:41 PM UTC-7, Eugene Williams wrote:
>>
>> I've been struggling with this for a few days.
>>
>> We've obtained an ECC certificate using the following openssl routines:
>>
>> openssl ecparam -genkey -name secp521r1 | openssl ec -out ec.key
>> openssl req -new -key ec.key -out ec.csr
>>
>>
>> Upon receiving the certs, we used the following routine to generate the
>> Diffie Hellman (DH) parameters for the keyfile:
>>
>> openssl dhparam -rand - 1024 >> ec.key
>>
>>
>> When complete, we confirmed that the certificate could be used with
>> openssl:
>>
>> openssl s_server -accept 8443 -cert ssl/ec.pem -key ssl/ec.key -CAfile
>> ssl/ec_chain.pem
>>
>> and
>>
>> openssl s_client -tls1 -connect hostname:8443 -cipher
>> 'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH' -msg
>>
>> This works flawlessly.
>>
>> When attempting to use the same certs on the same server with nodejs,
>> there's no joy.
>>
>> Here's the general config:
>>
>> var options = {
>> cert: fs.readFileSync('ssl/ec.pem'),
>> key: fs.readFileSync('ssl/ec.key'),
>> ca: fs.readFileSync('ssl/ec_chain.pem'),
>> ciphers: 'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH',
>> ecdhCurve: 'secp521r1',
>> honorCipherOrder: true
>> };
>>
>>
>> tls.createServer(options, function() {
>> }).listen(common.PORT, function() {
>> console.log('Server started on port: ' + common.PORT);
>> }).on('clientError', function(err){
>> console.log('A failed client connection attempt occurred.');
>> console.error(err);
>> console.log();
>> });
>>
>> I start the server with the following:
>>
>> sudo NODE_DEBUG=tls,fs,net,crypto node test-server-2.js
>>
>>
>> NET: 21217 listen2 0.0.0.0 8443 4 false
>> NET: 21217 _listen2: create a handle
>> NET: 21217 bind to 0.0.0.0
>> Server started on port: 8443
>>
>> but when trying to connect to this server using openssl, I'm seeing the
>> following in the server logs:
>>
>> s_client -tls1 -connect hostname:8443 -cipher
>> 'ECDHE-RSA-RC4-SHA:RC4:HIGH:!MD5:!aNULL:!EDH' -msg
>>
>> NET: 21217 onconnection
>> NET: 21217 _read
>> NET: 21217 Socket._read readStart
>> TLS: encrypted.read called with 16384 bytes
>> TLS: encrypted.read succeed with 0 bytes
>> TLS: onhandshakestart
>> TLS: encrypted.read called with 16384 bytes
>> TLS: encrypted.read succeed with 0 bytes
>> NET: 21217 onread undefined 0 115 115
>> NET: 21217 got data
>> NET: 21217 _read
>> TLS: encrypted.write called with 115 bytes
>> TLS: cleartext.read called with 16384 bytes
>> TLS: SecurePair.destroy
>> TLS: cleartext.destroy
>> TLS: encrypted.destroy
>> A failed client connection attempt occurred.
>> [Error: 140230049531904:error:1408A10B:SSL
>> routines:SSL3_GET_CLIENT_HELLO:wrong version number:s3_srvr.c:993:]
>> ...
>>
>> and this in the client:
>>
>> CONNECTED(00000003)
>> >>> ??? [length 0005]
>> 16 03 01 00 a1
>> >>> TLS 1.0 Handshake [length 00a1], ClientHello
>> 01 00 00 9d 03 01 59 bd 15 7a 3a 4b fe fc b2 41
>> 36 9b cd ca 38 7f 5f af de 36 53 1d ec a4 02 d2
>> 9e a2 8e 6a 10 3f 00 00 42 c0 11 c0 07 c0 0c c0
>> 02 00 05 c0 14 c0 0a 00 37 00 36 00 86 00 85 c0
>> 0f c0 05 00 35 00 84 c0 13 c0 09 00 31 00 30 00
>> 43 00 42 c0 0e c0 04 00 2f 00 41 c0 12 c0 08 00
>> 10 00 0d c0 0d c0 03 00 0a 00 ff 02 01 00 00 31
>> 00 0b 00 04 03 00 01 02 00 0a 00 1c 00 1a 00 17
>> 00 19 00 1c 00 1b 00 18 00 1a 00 16 00 0e 00 0d
>> 00 0b 00 0c 00 09 00 0a 00 23 00 00 00 0f 00 01
>> 01
>> 140735256072272:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl
>> handshake failure:s3_pkt.c:656:
>> ---
>> no peer certificate available
>> ---
>> No client certificate CA names sent
>> ---
>> SSL handshake has read 0 bytes and written 0 bytes
>> ---
>> New, (NONE), Cipher is (NONE)
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> SSL-Session:
>> Protocol : TLSv1
>> Cipher : 0000
>> ...
>>
>> and the connection is never made.
>>
>> Can anyone provide guidance with this?
>>
>
--
Job board: http://jobs.nodejs.org/
New group rules:
https://gist.github.com/othiym23/9886289#file-moderation-policy-md
Old group rules:
https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines
---
You received this message because you are subscribed to the Google Groups
"nodejs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/nodejs/3fd847a2-69c6-4472-b318-395dc794ec4f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
