Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No shared cipher error with curl/nss on RHEL7 with ECC (server problem) #7247

Closed
dnsmichi opened this issue Jun 18, 2019 · 4 comments · Fixed by #7248
Closed

No shared cipher error with curl/nss on RHEL7 with ECC (server problem) #7247

dnsmichi opened this issue Jun 18, 2019 · 4 comments · Fixed by #7248
Assignees
@dnsmichi
Labels
area/api REST API bug Something isn't working core/build-fix Follow-up fix, not released yet
Milestone
2.11.0

Comments

@dnsmichi
Copy link
Contributor

Describe the bug

No shared ciphers are available in RHEL/CentOS 7 with curl/nss.

To Reproduce

Use the snapshot packages inside the Icinga Vagrant boxes, and their curl/nss versions.

[root@icinga2 ~]# openssl s_client -connect localhost:5665
CONNECTED(00000003)
139989342721936:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1560858699
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

[2019-06-18 13:51:39 +0200] critical/ApiListener: Client TLS handshake failed (from [127.0.0.1]:42356): no shared cipher

https://stackoverflow.com/questions/18929049/boost-asio-with-ecdsa-certificate-issue

Expected behavior

ECC ciphers are loaded by default and available on connect.

https://stackoverflow.com/questions/40454338/no-shared-cipher-at-ssl-accept-why

#5555 doesn't provide this.

Your Environment

Include as many relevant details about the environment you experienced the problem in

  • Version used (icinga2 --version): v2.10.5-793-gee4c5c5
  • Operating System and version: CentOS 7.6

Additional context

Cipher list changes coming from #7219
@dnsmichi dnsmichi added bug Something isn't working area/api REST API core/build-fix Follow-up fix, not released yet labels Jun 18, 2019
@dnsmichi dnsmichi added this to the 2.11.0 milestone Jun 18, 2019
@dnsmichi
Copy link
Contributor Author

Note: The server needs to run on el7, curl from el7 to my Macbook works like a charm.

@dnsmichi dnsmichi self-assigned this Jun 18, 2019
@dgoetz
Copy link
Contributor

dgoetz commented Jun 18, 2019

Note: curl 7.59.0 on Fedora 28 also does not work, haven't updated my system yet, but perhaps this info helps to find the minimum version where it works out of the box.

@dnsmichi
Copy link
Contributor Author

Thanks, it is a function call which explicitly enables loading the ECC ciphers. I've verified this inside the centos7-dev Vagrant box already.

[root@icinga2-centos7-dev ~]# curl -k -vvvv -u root:icinga 'https://localhost:5665/v1'
* About to connect() to localhost port 5665 (#0)
*   Trying ::1...
* Connection refused
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 5665 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
curl: (35) Encountered end of file
[root@icinga2-centos7-dev ~]# curl -k -vvvv -u root:icinga 'https://localhost:5665/v1'
* About to connect() to localhost port 5665 (#0)
*   Trying ::1...
* Connection refused
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 5665 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* NSS: client certificate not found (nickname not specified)
* SSL connection using TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* Server certificate:
* 	subject: CN=icinga2-centos7-dev.vagrant.demo.icinga.com
* 	start date: Jun 18 12:47:02 2019 GMT
* 	expire date: Jun 14 12:47:02 2034 GMT
* 	common name: icinga2-centos7-dev.vagrant.demo.icinga.com
* 	issuer: CN=Icinga CA
* Server auth using Basic with user 'root'
> GET /v1 HTTP/1.1
> Authorization: Basic cm9vdDppY2luZ2E=
> User-Agent: curl/7.29.0
> Host: localhost:5665
> Accept: */*
>
< HTTP/1.1 200 OK
< Server: Icinga/v2.10.5-795-g8b5ebe9
< Content-Type: text/html
< Content-Length: 361
<
* Connection #0 to host localhost left intact
<html><head><title>Icinga 2</title></head><h1>Hello from Icinga 2 (Version: v2.10.5-795-g8b5ebe9)!</h1><p>You are authenticated as <b>root</b>. Your user has the following permissions:</p> <ul><li>*</li></ul><p>More information about API requests is available in the <a href="https://docs.icinga.com/icinga2/latest" target="_blank">documentation</a>.</p></html>[root@icinga2-centos7-dev ~]#

[root@icinga2-centos7-dev icinga2]# git diff
diff --git a/lib/base/tlsutility.cpp b/lib/base/tlsutility.cpp
index a3edc87..9f53c62 100644
--- a/lib/base/tlsutility.cpp
+++ b/lib/base/tlsutility.cpp
@@ -73,6 +73,9 @@ static void SetupSslContext(SSL_CTX *sslContext, const String& pubkey, const Str
        SSL_CTX_set_mode(sslContext, SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
        SSL_CTX_set_session_id_context(sslContext, (const unsigned char *)"Icinga 2", 8);

+       // Explicitly load ECC ciphers, required on el7.
+       SSL_CTX_set_ecdh_auto(sslContext, 1);
+
        if (!pubkey.IsEmpty()) {
                if (!SSL_CTX_use_certificate_chain_file(sslContext, pubkey.CStr())) {
                        Log(LogCritical, "SSL")

dnsmichi pushed a commit that referenced this issue Jun 18, 2019
SSL Context: Explicitly load ECC ciphers on el7
9c92368 
Otherwise curl/nss as client won't be able to use the
new default cipher list.

fixes #7247
@dnsmichi dnsmichi mentioned this issue Jun 18, 2019
Merged
@dnsmichi
Copy link
Contributor Author

@dgoetz Small remark - the client version doesn't matter here, I was on the wrong lead. It is just about the server not loading this correctly with specific OpenSSL versions on RHEL.

@dnsmichi dnsmichi changed the title No shared cipher error with curl/nss on RHEL7 with ECC No shared cipher error with curl/nss on RHEL7 with ECC (server problem) Jun 18, 2019
@dnsmichi dnsmichi mentioned this issue Jul 15, 2019
Open
6 tasks
@dnsmichi dnsmichi mentioned this issue Jul 30, 2019
Closed
dnsmichi pushed a commit that referenced this issue Jul 30, 2019
Fix el7 not loading ECDHE cipher suites
6225ec6 
This is a combined patch from git master for 2.10 and before.

refs #7247
refs #7366
dnsmichi pushed a commit that referenced this issue Jul 30, 2019
Fix el7 not loading ECDHE cipher suites
cbd0731 
This is a combined patch from git master for 2.10 and before.

refs #7247
refs #7366
@dnsmichi dnsmichi mentioned this issue Jul 30, 2019
Merged
dnsmichi pushed a commit that referenced this issue Jul 30, 2019
Fix el7 not loading ECDHE cipher suites
8ebd86c 
This is a combined patch from git master for 2.10 and before.

refs #7247
refs #7366

(cherry picked from commit cbd0731)
@dnsmichi dnsmichi mentioned this issue Aug 28, 2019
Closed
@willhoy willhoy mentioned this issue Jun 23, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dnsmichi dnsmichi

Labels
area/api REST API bug Something isn't working core/build-fix Follow-up fix, not released yet
Projects
None yet
Milestone
2.11.0
Development

Successfully merging a pull request may close this issue.

SSL Context: Explicitly load ECC ciphers on el7 Icinga/icinga2
2 participants
@dnsmichi @dgoetz