ECH s_server seems to assume the use of RSA certificate(s)

[Avamander]

I'm trying to build and run a working ECH setup. I've built latest cURL, nginx and openssl (from the relevant branches).

When trying to run echsvr.sh as described here localhost-tests.md I'm getting the following error:

Running ./scripts/echsvr.sh at 20231207-213521
Not forcing HRR
Using all key pairs found in $HOME/ech-dev-utils/echkeydir
error setting private key
00000000:error:0480006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:773:
00000000:error:0A080106:SSL routines:SSL_CTX_ech_server_enable_file:passed invalid argument:ssl/ech.c:5013:
00000000:error:0A0000F7:SSL routines:ssl_set_pkey:unknown certificate type:ssl/ssl_rsa.c:132:

I'm using an EC (P-384) certificate (from LetsEncrypt, actually) and it seems that is causing issues for openssl s_server with ECH.

[sftcd]

Hiya,

On 07/12/2023 21:43, Avamander wrote:

I'm using an EC (P-384) certificate (from LetsEncrypt, actually) and it seems that is causing issues for openssl s_server with ECH.

Not sure I'm getting the issue, but it's entirely possible some problems may arise if the x.509 certs aren't using RSA (I've not done such tests.)

That said:

00000000:error:0A080106:SSL routines:SSL_CTX_ech_server_enable_file:passed invalid argument:ssl/ech.c:5013:

... seems to imply you may be feeding the x.509 certificate in as if it were an ECH key pair (it's not:-), so maybe there's a fail in our HOWTO text that you followed? The ECH PEM file should be one that's produced using openssl ech from the command line, and is not ever going to be something touched by LetsEncrypt.

Could such a mixup be the issue? (Happy to try help more tomorrow local time, but late here now.)

Cheers, S.

[Avamander]

seems to imply you may be feeding the x.509 certificate in as if it were an ECH key pair (it's not:-),

Hmm. I don't think that's the case.

The ECH PEM file should be one that's produced using openssl ech

The .crt-s (passed using -cert2, -cert) are X.509 certificates. (If I let the script generate mock ones, they're also X.509 certificates.) Rest of the files required were created using openssl ech.

[sftcd]

Hiya,

Not sure still. Can you send the output (down as far as "ACCEPT" if it gets there) when you run echsvr.sh -d? Also, line 5013 of ech.c doesn't throw an error as would be indicated above, so maybe you need to pull the repo again?

Ta, S.

[Avamander]

Full output based on now latest ECH-draft-13c branch, it was a few days out of date:

Running ./scripts/echsvr_example.sh at 20231208-123156
Not forcing HRR
Using all key pairs found in $HOME/ech-dev-utils/echkeydir 
Running:   $HOME/openssl/apps/openssl s_server -msg -trace  -tlsextdebug -ign_eof -key $HOME/ech-dev-utils/cadir/example.com.priv -cert $HOME/ech-dev-utils/cadir/example.com.crt -key2 $HOME/ech-dev-utils/cadir/test.example.com.priv -cert2 $HOME/ech-dev-utils/cadir/test.example.com.crt  -CApath $HOME/ech-dev-utils/cadir/  -port 8443  -tls1_3   -ech_dir $HOME/ech-dev-utils/echkeydir -servername example.com   -alpn http/1.1,h2       
Added 0 ECH key pairs from: $HOME/ech-dev-utils/echkeydir
Setting secondary ctx parameters
Using default temp DH parameters
error setting private key
804B796C327F0000:error:0480006C:PEM routines:get_name:no start line:crypto/pem/pem_lib.c:773:
804B796C327F0000:error:0A080106:SSL routines:SSL_CTX_ech_server_enable_file:passed invalid argument:ssl/ech.c:5038:
804B796C327F0000:error:0A0000F7:SSL routines:ssl_set_kpey:unknown certificate type:ssl/ssl_rsa.c:132:

(With the actual home directory path replaced with the string $HOME)

[sftcd]

Coupla more questions:

• What's ls -l $HOME/ech-dev-utils/echkeydir show?
• Is test.example.com.priv etc the one with the p384 private key? What happens if you change that back to the foo.example.com.priv as generated by ``make-example-ca.sh"?

[Avamander]

What's ls -l $HOME/ech-dev-utils/echkeydir show?

It's empty. I haven't gotten to that step yet on how those get made. (Is there really minimal example somewhere?)

Is test.example.com.priv etc the one with the p384 private key? What happens if you change that back to the foo.example.com.priv as generated by ``make-example-ca.sh"?

A-ha, I think I solved it. test.example.com.priv didn't contain the p384 private key that would correspond to test.example.com.crt. I assume s_server assumed RSA based on the incorrect .priv and then the certificate wasn't okay. Makes sense, thanks!

[sftcd]

ah good, sounds like you're making progress, I guess leave this open 'till your happy all's well. (Or if it works for you we've now got a matrix chat room for this kind of thing too - see https://defo.ie/index.html#contact)

[Avamander]

Just mentioning that to try and bypass this issue, I did try and build BoringSSL (and cURL and Nginx with it) but I couldn't make nginx link with it properly. I presume there are more nuances to that?

[sftcd]

CURL+boringssl for ECH was straightforward IIRC - see here for what worked for me.

I've not yet played with nginx+boringssl for ECH - there's another chap has a fork that does that, but our nginx fork doesn't (yet) work with boringssl for nginx.