ngircd icon indicating copy to clipboard operation
ngircd copied to clipboard

Published 20 hours ago verified publisher icon ngircd

Cannot use elliptic curve certificates with OpenSSL crypto provider

Open mia-0 opened this issue 7 years ago • 3 comments

When using OpenSSL and a certificate which uses EC crypto (e.g. nistp384 curve), client connections fail with errors like error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure. The ngircd log says: [15862:3 627] SSL protocol error: SSL_accept (error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher).

The same certificate works with GnuTLS, but that can’t reload certs (which makes it impractical for use with Let’s Encrypt).

This happens regardless of the configured cipher suite.

Unfortunately, I don’t know the correct OpenSSL API incantation to make this work.

mia-0 avatar Jun 18 '17 04:06 mia-0

Just a wild guess:

The "no shared cipher" in the error message above leads me to the CipherList configuration option in the [SSL] block in ngircd.conf: probably this option isn't set to something "sane"?

Please have a look at the output of ngircd --configtest to validate its current value.

alexbarton avatar Jun 19 '17 21:06 alexbarton

On 2017 M06 19, Mon 23:55:20 CEST Alexander Barton wrote:

Just a wild guess:

The "no shared cipher" in the error message above leads me to the CipherList configuration option in the [SSL] block in ngircd.conf: probably this option isn't set to something "sane"?

Please have a look at the output of ngircd --configtest to validate its current value.

Like I said, it doesn’t matter. Of course I didn’t try to use the same setting as with GnuTLS. I’ve tried unsetting the option (so it defaults to HIGH:!aNULL:@STRENGTH:!SSLv3) and I’ve tried setting it to something that works with my nginx webserver and prosody (which both also use OpenSSL), i.e. ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA- AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256- SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:! EXPORT:!EDH:!CAMELLIA:!3DES:!DES:!MD5:!PSK:!RC4:!RSA;. Nope, doesn’t work.

Maybe ngircd isn’t enabling TLSv1.2 properly? It should be from the looks of it, but I don’t know OpenSSL well enough.

mia-0 avatar Jun 19 '17 22:06 mia-0

Ah, sorry, I overlooked that you already mentioned that option …

alexbarton avatar Jun 19 '17 22:06 alexbarton

What IRC client are you using? I get the same error when connecting using irssi, but I'm unable to reproduce using openssl s_client.

crabctrl avatar Oct 30 '22 03:10 crabctrl

I am also unable to reproduce this bug with ircii. That being said, this also isn't just a bug in irssi, as irssi has no trouble connecting to other IRC servers with similar certificates, so there's a combination of something happening in irssi + something happening in ngircd.

crabctrl avatar Oct 30 '22 03:10 crabctrl