search

daurnimator / lua-http

HTTP Library for Lua. Supports HTTP(S) 1.0, 1.1 and 2.0; client and server.
https://daurnimator.github.io/lua-http/
MIT License
778 stars 80 forks source link

no shared cipher when using setCertificateChain #192

Closed Mehgugs closed 2 years ago

Mehgugs commented 2 years ago

I get " wrap on CQS Socket: 0x1afc0e8 failed: starttls: error:1417A0C1:SSL routines:tls_post_process_client_hello:no shared cipher"

When a client tries to connect to my server, I'm using a context generated by the following:

local function new_ctx(version, crtpath, keypath)
    local ctx = http_tls.new_server_context()
    if http_tls.has_alpn then
        ctx:setAlpnSelect(alpn_select, version)
    end
    if version == 2 then
        ctx:setOptions(openssl_ctx.OP_NO_TLSv1 + openssl_ctx.OP_NO_TLSv1_1)
    end
    local keyfile = asserts(openf(keypath, "r"))
    local crt = asserts(decode_fullchain(crtpath))
    asserts(ctx:setPrivateKey(Pkey.new(keyfile:read"a")))
    asserts(ctx:setCertificateChain(crt))
    keyfile:close()
    return ctx
end
luarocks show http

http scm-0 - HTTP library for Lua
luarocks show luaossl

luaossl 20200709-0 - Most comprehensive OpenSSL module in the Lua universe.
openssl version -a
OpenSSL 1.1.1k  25 Mar 2021
built on: Sat Jul 17 04:01:31 2021 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib/engines-1.1"
Seeding source: os-specific

I have manually tried with modern intermediate and old cipher lists from http.tls and this still happens.

NB: this may be better reported in luaossl?

Mehgugs commented 2 years ago

This happens exclusively when using a chain certificate. (I also updated to openssl 1.1.1k and have the same issue) I should note that I can't really use a single certificate because my intermediates are missing; it just changes the error to a different one.

Mehgugs commented 2 years ago

Further testing shows this is a luaossl issue.