Closed hnnweb closed 3 years ago
Tested this with nginx.
Seems like:
Enable support for TLSv1.2 And add the following ciphers:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
And it should work
Why do you specifically want to use TLS 1.2 instead of TLS 1.3? I'd rather use a cert that works with TLS 1.3.
Just copied from an nginx guide. 1.3 should work
The ciphers that you posted are only for TLS 1.2, so those should make no difference with TLS 1.3. The application currently uses the following ciphers for TLS 1.3: TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
. Do you know the cipher that you need for it?
It is LetsEncrypt certificate. They started issuing ECDSA certificate from 1/1.
Firefox shows me this for my nginx
And i gave it this ciphers:
TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, TLS_AES_128_CCM_8_SHA256, TLS_AES_128_CCM_SHA256
( Taken from https://curl.se/docs/ssl-ciphers.html )
WebServer.config:
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<WebServer>
<Config>
<Server/>
<TLSServer Certificate="ssl/fullchain.pem" CertificateKey="ssl/privkey.pem"/>
<ExtensionsDebugMode>1</ExtensionsDebugMode>
</Config>
...
</WebServer>
ssl/fullchain.pem:
-----BEGIN CERTIFICATE-----
MIIEajCCA1KgAwIBAgISA9i+Od6XP+wPpnNLV+pHwYLLMA0GCSqGSIb3DQEBCwUA
...
XMtsAdgXSk2HUe4aUrLdHyoYxYRxCrbZDxPrRoOM
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/
...
UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==
-----END CERTIFICATE-----
ssl/privkey.pem:
-----BEGIN EC PARAMETERS-----
--redacted--
-----END EC PARAMETERS-----
-----BEGIN EC PRIVATE KEY-----
MIGkAgE...
...iFP9Z8=
-----END EC PRIVATE KEY-----
@maksis Fixed it.
Permissions error. The user that runs airdcppd didn't have permissions to read the certificate files. chmod 640 on the directory that held ssl files. didn't have the executing bit to go into directory. chmod 550 fixed it.
Maybe write in output that files couldn't be read?
Current UI and client versions:
Operating system:
Alpine Linux v3.12.1
Steps to reproduce the issue:
Optain an ECDSA from LetsEncrypt ( Standard from now on ). Put the files in place Restart AirDC++ Goto the page on HTTPS ( port 5601 )
HTTP ( port 5600 ) works fine.
Screenshots
In Firefox: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
In Edge ( The new one ) airdc.xxx.xxx uses an unsupported protocol. ERR_SSL_VERSION_OR_CIPHER_MISMATCH Unsupported protocol The client and server don't support a common SSL protocol version or cipher suite.
Following errors appear in console: