search

erlang / otp

Erlang/OTP
http://erlang.org
Apache License 2.0
11.36k stars 2.95k forks source link

ERL-368: How to use ecdh self-signed cert in R19.2 ssl app #3450

Closed OTP-Maintainer closed 3 years ago

OTP-Maintainer commented 7 years ago

Original reporter: botanyzh Affected version: OTP-19.2 Component: ssl Migrated from: https://bugs.erlang.org/browse/ERL-368

Hi !  
With so many search In vain,
I  can’t find the  actual  example  through google  , and  I failed again and again  with many procedures

*First  to  generate key  csr and crts*

*Root CA some like below*
{code}openssl genrsa -out CA.key.pem 2048
openssl req -x509 -new -nodes -key ca.key.pem -days 365 -out ca.cert.pem

openssl genpkey -genparam -algorithm EC -out ecdh.pem \
                                        -pkeyopt ec_paramgen_curve:brainpoolP512r1

openssl req   -nodes  -new -newkey ec:ecdh.pem   -keyout  1ecdh.key.pem -out 1ecdh.csr.pem{code}

*sign*

{code}openssl ca -in 1ecdh.csr.pem  -out 1ecdh.crt.pem -config $CONF_FILE{code}

and  finally  I  get  8 files   for 2 nodes to  connect each other
ca.cert.pem
ecdh.pem
1ecdh.key.pem
1ecdh.csr.pem
1ecdh.crt.pem
2ecdh.key.pem
2ecdh.csr.pem
2ecdh.crt.pem

*baseOptions  from  app  gen_rpc*
{code:erlang}-define(SSL_DEFAULT_COMMON_OPTS, [binary,
        {packet,0},
        {header,0},
        {exit_on_close,true},
        {nodelay,true}, % Send our requests immediately
        {send_timeout_close,true}, % When the socket times out, close the connection
        {delay_send,false}, % Scheduler should favor timely delivery
        {linger,{true,2}}, % Allow the socket to flush outgoing data for 2" before closing it - useful for casts
        {reuseaddr,true}, % Reuse local port numbers
        {keepalive,true}, % Keep our channel open
        {tos,72}, % Deliver immediately
        {active,false},
        %% SSL options
        {ciphers,["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
                  "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384","ECDHE-ECDSA-DES-CBC3-SHA",
                  "ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
                  "ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384","DHE-DSS-AES256-SHA256",
                  "AES256-GCM-SHA384","AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
                  "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256",
                  "ECDH-ECDSA-AES128-GCM-SHA256","ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
                  "ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256","DHE-DSS-AES128-SHA256","AES128-GCM-SHA256",
                  "AES128-SHA256","ECDHE-ECDSA-AES256-SHA","ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
                  "ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA","AES256-SHA","ECDHE-ECDSA-AES128-SHA",
                  "ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA","AES128-SHA"]},
        {secure_renegotiate,true},
        {reuse_sessions,true},
        {versions,['tlsv1.2','tlsv1.1']},
        {verify,verify_peer},
        {hibernate_after,600000},
        {active,false}]).

-define(SSL_DEFAULT_SERVER_OPTS, [{fail_if_no_peer_cert,true},
        {log_alert,false},
        {honor_cipher_order,true},
        {client_renegotiation,true}]).

-define(SSL_DEFAULT_CLIENT_OPTS, [{server_name_indication,disable},
        {depth,99}]).{code}

And  extra options 
            {code:erlang}ssl_client_options: [
            certfile: certfile,
            keyfile: keyfile,
            cacertfile: './priv/ssl/ca.cert.pem',
            eccs: [:brainpoolP512r1]

            ],
        ssl_server_options: [
            certfile: certfile,
            keyfile: keyfile,
            cacertfile: './priv/ssl/ca.cert.pem',
            eccs: [:brainpoolP512r1]

        ],{code}

The two node are both in one centos system 
And   when I try to ssl:connect/4 , i  get such  error  below:

{code}“ tls_connection.erl:704:Fatal error: handshake failure - malformed_handshake_data”;

{tls_alert,"handshake failure"};{code}

And   when I try to  openssl s_client with error  below:
{code}openssl s_client -connect 192.168.212.173:5370  -cert 2.crt.pem -key 2.key.pem   -CAfile ca.cert.pem -cipher ECDH-RSA-AES256-GCM-SHA384  -debug
CONNECTED(00000003)
depth=1 C = CN, ST = cq, L = cq, O = s, OU = p, CN = botanyzh, emailAddress = botanyzh@live.cn
verify return:1
depth=0 C = US, ST = Uniden, L = 00abcdef1234, O = sprt, OU = potato, CN = rpslc_1@192.168.212.173, emailAddress = botanyzh@live.cn
verify return:1
140467656820416:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40
140467656820416:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:

With extra  “-debug”
write to 0x159aa30 [0x15acb00] (6 bytes => -1 (0xFFFFFFFFFFFFFFFF))
write:errno=32{code}

Please help me

*about the  source*
the ecdh cert seems is not usable for otp's ssl
when i debuged i found that the ssl_connection:handle_peer_cert_key/5 call to public_key :generate_key/1 can never match

the public_key's interface is
{code:erlang}generate_key(#'DHParameter'{prime = P, base = G}) ->
crypto:generate_key(dh, [P, G]);
generate_key({namedCurve, _} = Params) ->
ec_generate_key(Params);
generate_key(#'ECParameters'{} = Params) ->
ec_generate_key(Params).{code}

but the arg called is {ecParameters, 'ECParameters'{} = Params}
OTP-Maintainer commented 7 years ago

lukas said:

Hello,

bugs.erlang.org is not the correct place to ask questions about how to work with Erlang/OTP. Please direct you question to the erlang-questions mailing-list instead, where your question will get more attention from people that know how to work with the erlang ssl stack.

http://erlang.org/mailman/listinfo/erlang-questions

Lukas
OTP-Maintainer commented 7 years ago

botanyzh said:

last week  i had send the  email  but no reponse at all:(
OTP-Maintainer commented 7 years ago

lukas said:

I can't find any mail related to this in the archives, are you sure that it arrived?
OTP-Maintainer commented 7 years ago

botanyzh said:

i  send it  throuth  MS's  outlook email
OTP-Maintainer commented 7 years ago

lukas said:

I don't know what may be wrong, but the e-mail did not arrive. Please contact the  mailman@erlang.org (as mentioned here: http://erlang.org/mailman/listinfo/) to figure out what went wrong.
OTP-Maintainer commented 7 years ago

botanyzh said:

thanks i am going to find out  what's wrong
OTP-Maintainer commented 7 years ago

botanyzh said:

i found the problem 
i had ever Unsubscribing from erlang-questions mail list

now  i can receive  the "erlang-questions awaits moderator approval"  email
OTP-Maintainer commented 7 years ago

botanyzh said:

Even i  succussfully  send the problem email  ,still  got  no one responsed to it