Re: [onion-dev] SSL Blues
30 views
Skip to first unread message
David Moreno Montero
May 11, 2017, 6:06:21 AM5/11/17
to leonard...@gmail.com, onion-dev
Hi,
(this is what the current tests do)
I just generated a certificate with:
certtool --generate-privkey --outfile mycert.keycerttool --generate-privkey --outfile mycert.key --generate-self-signed --load-privkey mycert.key --outfile mycert.crt --template ~/src/onion/tests/01-internal/mycert.cfgcat mycert.crt mycert.key > mycert.pem
and it worked. I did not try with the method described in your link.
I also tried with a letsencrypt certificate, and it did not work. I will try to test it a bit more and add the required tests, as current tests are passing but the code is not working.
If somebody can find some time to create patches, it will be greatly appreciated.
Regards,
David.
David.
2017-05-07 9:34 GMT+02:00 <leonard...@gmail.com>:
Hi all--
Having issues with SSL support. I've tried a number of certificate methods, but no luck. Both OpenSSL and CURL fail to negotiate a cipher suite. Feel I'm missing something basic but can't find it.
The latest method for certificate generation was here: https://debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian
[F7FCA780] [2017-05-07 17:42:21] [DEBUG https.c:153] HTTPS connection ready
[F7FCA780] [2017-05-07 17:42:21] [DEBUG onion.c:649] add 0x679a60 listen_point (0x649380, 0x679a60, (nil))
[F7FCA780] [2017-05-07 19:15:47] [DEBUG https.c:339] Setting certificate to 0x679a80: cert /rpi/server/cert.pem /rpi/server/cert/key.pem
[F7FCA780] [2017-05-07 17:42:21] [DEBUG onion.c:736] New root url handler
[F0FF0700] [2017-05-07 17:42:21] [DEBUG listen_point.c:192] Trying to listen at 172.24.1.1:8000
[F0FF0700] [2017-05-07 17:42:21] [DEBUG listen_point.c:233] Listening to 172.24.1.1:8000, fd 8
[F0FF0700] [2017-05-07 17:42:21] [DEBUG onion.c:507] Adding listen point fd 8 to poller
[F0FF0700] [2017-05-07 17:42:21] [DEBUG onion.c:515] Start polling / listening 0x649380, 0x679a60, (nil)
[E37FE700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E3FFF700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E2FFD700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E27FC700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E1FFB700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E17FA700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[F0FF0700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E0FF9700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E0FF9700] [2017-05-07 17:45:34] [DEBUG https.c:207] Accept new request, fd 9
[E0FF9700] [2017-05-07 17:45:40] [ERROR https.c:225] Handshake has failed (Could not negotiate a supported cipher suite.)
[E0FF9700] [2017-05-07 17:45:40] [DEBUG request.c:83] Invalid request, closing
[E0FF9700] [2017-05-07 17:45:40] [DEBUG https.c:282] Close HTTPS connection
$ openssl s_client -showcerts -servername 172.24.1.1 -connect 172.24.1.1:8000
CONNECTED(00000003)
140470436206224:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1494136027
Timeout : 300 (sec)
Verify return code: 0 (ok)
Thanks, Leonard
You received this message because you are subscribed to the Google Groups "onion-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to onion-dev+unsubscribe@coralbits.com.
To post to this group, send email to onio...@coralbits.com.
Visit this group at https://groups.google.com/a/coralbits.com/group/onion-dev/.
For more options, visit https://groups.google.com/a/coralbits.com/d/optout.
leonard...@gmail.com
May 11, 2017, 6:35:14 AM5/11/17
to onion-dev, leonard...@gmail.com
Hi David
Is is working. There are just a few quirks to look out for.
What you see in the log file if the file can't be found is just a meaningless message:
“gnutls[2]: Could not find an appropriate certificate: Insufficient credentials for that request.”
You need to provide the cert and key to the function as parameter one and two.
You can't just concatenate the cert and key into one file and pass it in as the first parameter and ignore passing in the key as the second parameter.
For example:
onion_set_certificate(_http.onion, O_SSL_CERTIFICATE_KEY, properties.JLS_FILE_CERT, properties.JLS_FILE_CERT_KEY);
1) JLS_FILE_CERT can be just the cert, or the cert and key concatenated into a single file.
2) JLS_FILE_KEY must be the key
You can see what GNU is up to by setting the runtime environment variable as follows:
GNUTLS_DEBUG_LEVEL=9
You can test Onion, use the command gnutls-cli --tofu -d 9 <ip_address> -p <port>.
If working, you will see the certificate details come back.
Thanks, Leonrd
To unsubscribe from this group and stop receiving emails from it, send an email to onion-dev+...@coralbits.com.
To post to this group, send email to onio...@coralbits.com.
Visit this group at https://groups.google.com/a/coralbits.com/group/onion-dev/.
For more options, visit https://groups.google.com/a/coralbits.com/d/optout.
Reply all
Reply to author
Forward
0 new messages