certtool --generate-privkey --outfile mycert.keycerttool --generate-privkey --outfile mycert.key --generate-self-signed --load-privkey mycert.key --outfile mycert.crt --template ~/src/onion/tests/01-internal/mycert.cfgcat mycert.crt mycert.key > mycert.pem
Hi all--
Having issues with SSL support. I've tried a number of certificate methods, but no luck. Both OpenSSL and CURL fail to negotiate a cipher suite. Feel I'm missing something basic but can't find it.
The latest method for certificate generation was here: https://debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
[F7FCA780] [2017-05-07 17:42:21] [DEBUG https.c:153] HTTPS connection ready
[F7FCA780] [2017-05-07 17:42:21] [DEBUG onion.c:649] add 0x679a60 listen_point (0x649380, 0x679a60, (nil))
[F7FCA780] [2017-05-07 19:15:47] [DEBUG https.c:339] Setting certificate to 0x679a80: cert /rpi/server/cert.pem /rpi/server/cert/key.pem
[F7FCA780] [2017-05-07 17:42:21] [DEBUG onion.c:736] New root url handler
[F0FF0700] [2017-05-07 17:42:21] [DEBUG listen_point.c:192] Trying to listen at 172.24.1.1:8000
[F0FF0700] [2017-05-07 17:42:21] [DEBUG listen_point.c:233] Listening to 172.24.1.1:8000, fd 8
[F0FF0700] [2017-05-07 17:42:21] [DEBUG onion.c:507] Adding listen point fd 8 to poller
[F0FF0700] [2017-05-07 17:42:21] [DEBUG onion.c:515] Start polling / listening 0x649380, 0x679a60, (nil)
[E37FE700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E3FFF700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E2FFD700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E27FC700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E1FFB700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E17FA700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[F0FF0700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E0FF9700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E0FF9700] [2017-05-07 17:45:34] [DEBUG https.c:207] Accept new request, fd 9
[E0FF9700] [2017-05-07 17:45:40] [ERROR https.c:225] Handshake has failed (Could not negotiate a supported cipher suite.)
[E0FF9700] [2017-05-07 17:45:40] [DEBUG request.c:83] Invalid request, closing
[E0FF9700] [2017-05-07 17:45:40] [DEBUG https.c:282] Close HTTPS connection
$ openssl s_client -showcerts -servername 172.24.1.1 -connect 172.24.1.1:8000
CONNECTED(00000003)
140470436206224:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1494136027
Timeout : 300 (sec)
Verify return code: 0 (ok)
Thanks, Leonard
You received this message because you are subscribed to the Google Groups "onion-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to onion-dev+unsubscribe@coralbits.com.
To post to this group, send email to onio...@coralbits.com.
Visit this group at https://groups.google.com/a/coralbits.com/group/onion-dev/.
For more options, visit https://groups.google.com/a/coralbits.com/d/optout.
Is is working. There are just a few quirks to look out for.
You need to provide the cert and key to the function as parameter one and two.
You can't just concatenate the cert and key into one file and pass it in as the first parameter and ignore passing in the key as the second parameter.
For example:
onion_set_certificate(_http.onion, O_SSL_CERTIFICATE_KEY, properties.JLS_FILE_CERT, properties.JLS_FILE_CERT_KEY);
1) JLS_FILE_CERT can be just the cert, or the cert and key concatenated into a single file.
2) JLS_FILE_KEY must be the key
You can see what GNU is up to by setting the runtime environment variable as follows:
GNUTLS_DEBUG_LEVEL=9
You can test Onion, use the command gnutls-cli --tofu -d 9 <ip_address> -p <port>.
If working, you will see the certificate details come back.
Thanks, Leonrd
To unsubscribe from this group and stop receiving emails from it, send an email to onion-dev+...@coralbits.com.
To post to this group, send email to onio...@coralbits.com.
Visit this group at https://groups.google.com/a/coralbits.com/group/onion-dev/.
For more options, visit https://groups.google.com/a/coralbits.com/d/optout.