Re: [onion-dev] SSL Blues

29 views
Skip to first unread message

David Moreno Montero

unread,
May 11, 2017, 6:06:21 AM5/11/17
to leonard...@gmail.com, onion-dev
Hi,

I just generated a certificate with:

certtool --generate-privkey --outfile mycert.key
certtool --generate-privkey --outfile mycert.key --generate-self-signed --load-privkey mycert.key --outfile mycert.crt --template ~/src/onion/tests/01-internal/mycert.cfg
cat mycert.crt mycert.key > mycert.pem

(this is what the current tests do)

and it worked. I did not try with the method described in your link. 

I also tried with a letsencrypt certificate, and it did not work. I will try to test it a bit more and add the required tests, as current tests are passing but the code is not working.

If somebody can find some time to create patches, it will be greatly appreciated.

Regards,
David.

2017-05-07 9:34 GMT+02:00 <leonard...@gmail.com>:
Hi all

Having issues with SSL support. I've tried a number of certificate methods, but no luck. Both OpenSSL and CURL fail to negotiate a cipher suite. Feel I'm missing something basic but can't find it.

The latest method for certificate generation was here: https://debian-administration.org/article/284/Creating_and_Using_a_self_signed__SSL_Certificates_in_debian


[F7FCA780] [2017-05-07 17:42:21] [DEBUG https.c:153] HTTPS connection ready
[F7FCA780] [2017-05-07 17:42:21] [DEBUG onion.c:649] add 0x679a60 listen_point (0x649380, 0x679a60, (nil))
[F7FCA780] [2017-05-07 19:15:47] [DEBUG https.c:339] Setting certificate to 0x679a80: cert /rpi/server/cert.pem /rpi/server/cert/key.pem
[F7FCA780] [2017-05-07 17:42:21] [DEBUG onion.c:736] New root url handler
[F0FF0700] [2017-05-07 17:42:21] [DEBUG listen_point.c:192] Trying to listen at 172.24.1.1:8000
[F0FF0700] [2017-05-07 17:42:21] [DEBUG listen_point.c:233] Listening to 172.24.1.1:8000, fd 8
[F0FF0700] [2017-05-07 17:42:21] [DEBUG onion.c:507] Adding listen point fd 8 to poller
[F0FF0700] [2017-05-07 17:42:21] [DEBUG onion.c:515] Start polling / listening 0x649380, 0x679a60, (nil)
[E37FE700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E3FFF700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E2FFD700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E27FC700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E1FFB700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E17FA700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[F0FF0700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E0FF9700] [2017-05-07 17:42:21] [DEBUG poller.c:497] Start polling
[E0FF9700] [2017-05-07 17:45:34] [DEBUG https.c:207] Accept new request, fd 9
[E0FF9700] [2017-05-07 17:45:40] [ERROR https.c:225] Handshake has failed (Could not negotiate a supported cipher suite.)
[E0FF9700] [2017-05-07 17:45:40] [DEBUG request.c:83] Invalid request, closing
[E0FF9700] [2017-05-07 17:45:40] [DEBUG https.c:282] Close HTTPS connection

$ openssl s_client
-showcerts -servername 172.24.1.1 -connect 172.24.1.1:8000
CONNECTED
(00000003)
140470436206224:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read
0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL
-Session:
   
Protocol  : TLSv1.2
   
Cipher    : 0000
   
Session-ID:
   
Session-ID-ctx:
   
Master-Key:
   
Key-Arg   : None
    PSK identity
: None
    PSK identity hint
: None
    SRP username
: None
   
Start Time: 1494136027
   
Timeout   : 300 (sec)
   
Verify return code: 0 (ok)

 Thanks, Leonard


--
You received this message because you are subscribed to the Google Groups "onion-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to onion-dev+unsubscribe@coralbits.com.
To post to this group, send email to onio...@coralbits.com.
Visit this group at https://groups.google.com/a/coralbits.com/group/onion-dev/.
For more options, visit https://groups.google.com/a/coralbits.com/d/optout.



--

leonard...@gmail.com

unread,
May 11, 2017, 6:35:14 AM5/11/17
to onion-dev, leonard...@gmail.com
Hi David


Is is working. There are just a few quirks to look out for.


If the file paths are wrong, neither Onion or GNU will balk - it just won’t work! Onion just passes the file paths to GNU which doesn’t check the files actually exist.

What you see in the log file if the file can't be found is just a meaningless message: 

“gnutls[2]: Could not find an appropriate certificate: Insufficient credentials for that request.”

You need to provide the cert and key to the function as parameter one and two. 


You can't just concatenate the cert and key into one file and pass it in as the first parameter and ignore passing in the key as the second parameter.


For example:  


onion_set_certificate(_http.onion, O_SSL_CERTIFICATE_KEY, properties.JLS_FILE_CERT, properties.JLS_FILE_CERT_KEY);


1) JLS_FILE_CERT can be just the cert, or the cert and key concatenated into a single file.

2) JLS_FILE_KEY must be the key


You can see what GNU is up to by setting the runtime environment variable as follows:


GNUTLS_DEBUG_LEVEL=9


You can test Onion, use the command gnutls-cli --tofu -d 9 <ip_address> -p <port>


If working, you will see the certificate details come back.


Thanks, Leonrd


To unsubscribe from this group and stop receiving emails from it, send an email to onion-dev+...@coralbits.com.

To post to this group, send email to onio...@coralbits.com.
Visit this group at https://groups.google.com/a/coralbits.com/group/onion-dev/.
For more options, visit https://groups.google.com/a/coralbits.com/d/optout.
Reply all
Reply to author
Forward
0 new messages