search

airdcpp-web / airdcpp-webclient

Communal peer-to-peer file sharing application for file servers/NAS devices
https://airdcpp-web.github.io
171 stars 31 forks source link

Error when using EC certificate #380

Closed hnnweb closed 3 years ago

hnnweb commented 3 years ago

Current UI and client versions:

Application version: AirDC++w 2.11.0 x86_64
Web UI version: 2.11.0
Web UI build date: January 8, 2021 3:30 PM
API version: 1
API feature level: 7
Started: 6 minutes ago

Operating system:

Alpine Linux v3.12.1

Steps to reproduce the issue:

Optain an ECDSA from LetsEncrypt ( Standard from now on ). Put the files in place Restart AirDC++ Goto the page on HTTPS ( port 5601 )

HTTP ( port 5600 ) works fine.

Screenshots

In Firefox: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

In Edge ( The new one ) airdc.xxx.xxx uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH Unsupported protocol The client and server don't support a common SSL protocol version or cipher suite.

image

Following errors appear in console:

[2021-01-09 13:23:39] [error] handle_transport_init received error: TLS handshake failed
[2021-01-09 13:23:39] [fail] WebSocket Connection [::ffff:192.168.xxx.xxx]:63211 - "" - 0 websocketpp.transport.asio.socket:8 TLS handshake failed
[2021-01-09 13:23:39] [info] asio async_shutdown error: asio.ssl:336462231 (shutdown while in init)
[2021-01-09 13:23:39] [error] handle_transport_init received error: TLS handshake failed
[2021-01-09 13:23:39] [fail] WebSocket Connection [::ffff:192.168.xxx.xxx]:63214 - "" - 0 websocketpp.transport.asio.socket:8 TLS handshake failed
[2021-01-09 13:23:39] [info] asio async_shutdown error: asio.ssl:336462231 (shutdown while in init)
[2021-01-09 13:23:40] [error] handle_transport_init received error: TLS handshake failed
[2021-01-09 13:23:40] [fail] WebSocket Connection [::ffff:192.168.xxx.xxx]:63217 - "" - 0 websocketpp.transport.asio.socket:8 TLS handshake failed
[2021-01-09 13:23:40] [info] asio async_shutdown error: asio.ssl:336462231 (shutdown while in init)
[2021-01-09 13:23:40] [error] handle_transport_init received error: TLS handshake failed
[2021-01-09 13:23:40] [fail] WebSocket Connection [::ffff:192.168.xxx.xxx]:63218 - "" - 0 websocketpp.transport.asio.socket:8 TLS handshake failed
[2021-01-09 13:23:40] [info] asio async_shutdown error: asio.ssl:336462231 (shutdown while in init)
[2021-01-09 13:23:40] [error] handle_transport_init received error: TLS handshake failed
[2021-01-09 13:23:40] [fail] WebSocket Connection [::ffff:192.168.xxx.xxx]:63219 - "" - 0 websocketpp.transport.asio.socket:8 TLS handshake failed
[2021-01-09 13:23:40] [info] asio async_shutdown error: asio.ssl:336462231 (shutdown while in init)
[2021-01-09 13:23:40] [error] handle_transport_init received error: TLS handshake failed
[2021-01-09 13:23:40] [fail] WebSocket Connection [::ffff:192.168.xxx.xxx]:63220 - "" - 0 websocketpp.transport.asio.socket:8 TLS handshake failed
[2021-01-09 13:23:40] [info] asio async_shutdown error: asio.ssl:336462231 (shutdown while in init)
hnnweb commented 3 years ago

Tested this with nginx.

Seems like:

Enable support for TLSv1.2 And add the following ciphers:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

And it should work

maksis commented 3 years ago

Why do you specifically want to use TLS 1.2 instead of TLS 1.3? I'd rather use a cert that works with TLS 1.3.

hnnweb commented 3 years ago

Just copied from an nginx guide. 1.3 should work

maksis commented 3 years ago

The ciphers that you posted are only for TLS 1.2, so those should make no difference with TLS 1.3. The application currently uses the following ciphers for TLS 1.3: TLS_AES_128_GCM_SHA256 TLS_AES_256_GCM_SHA384. Do you know the cipher that you need for it?

hnnweb commented 3 years ago

It is LetsEncrypt certificate. They started issuing ECDSA certificate from 1/1.

hnnweb commented 3 years ago

Firefox shows me this for my nginx

image

And i gave it this ciphers:

TLS v1.3

TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, TLS_AES_128_CCM_8_SHA256, TLS_AES_128_CCM_SHA256

( Taken from https://curl.se/docs/ssl-ciphers.html )

WebServer.config:

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<WebServer>
        <Config>
                <Server/>
                <TLSServer Certificate="ssl/fullchain.pem" CertificateKey="ssl/privkey.pem"/>
                <ExtensionsDebugMode>1</ExtensionsDebugMode>
        </Config>
...
</WebServer>

ssl/fullchain.pem:

-----BEGIN CERTIFICATE-----
MIIEajCCA1KgAwIBAgISA9i+Od6XP+wPpnNLV+pHwYLLMA0GCSqGSIb3DQEBCwUA
...
XMtsAdgXSk2HUe4aUrLdHyoYxYRxCrbZDxPrRoOM
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
...
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----

ssl/privkey.pem:

-----BEGIN EC PARAMETERS-----
--redacted--
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIGkAgE...
...iFP9Z8=
-----END EC PRIVATE KEY-----
hnnweb commented 3 years ago

@maksis Fixed it.

Permissions error. The user that runs airdcppd didn't have permissions to read the certificate files. chmod 640 on the directory that held ssl files. didn't have the executing bit to go into directory. chmod 550 fixed it.

Maybe write in output that files couldn't be read?