ngircd
ngircd copied to clipboard
Cannot use elliptic curve certificates with OpenSSL crypto provider
When using OpenSSL and a certificate which uses EC crypto (e.g. nistp384 curve), client connections fail with errors like error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
. The ngircd log says: [15862:3 627] SSL protocol error: SSL_accept (error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher)
.
The same certificate works with GnuTLS, but that can’t reload certs (which makes it impractical for use with Let’s Encrypt).
This happens regardless of the configured cipher suite.
Unfortunately, I don’t know the correct OpenSSL API incantation to make this work.
Just a wild guess:
The "no shared cipher" in the error message above leads me to the CipherList
configuration option in the [SSL]
block in ngircd.conf
: probably this option isn't set to something "sane"?
Please have a look at the output of ngircd --configtest
to validate its current value.
On 2017 M06 19, Mon 23:55:20 CEST Alexander Barton wrote:
Just a wild guess:
The "no shared cipher" in the error message above leads me to the
CipherList
configuration option in the[SSL]
block inngircd.conf
: probably this option isn't set to something "sane"?Please have a look at the output of
ngircd --configtest
to validate its current value.
Like I said, it doesn’t matter. Of course I didn’t try to use the same setting as with GnuTLS. I’ve tried unsetting the option (so it defaults to HIGH:!aNULL:@STRENGTH:!SSLv3) and I’ve tried setting it to something that works with my nginx webserver and prosody (which both also use OpenSSL), i.e. ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-CHACHA20-POLY1305-OLD:ECDHE-ECDSA- AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256- SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:!aNULL:!eNULL:! EXPORT:!EDH:!CAMELLIA:!3DES:!DES:!MD5:!PSK:!RC4:!RSA;. Nope, doesn’t work.
Maybe ngircd isn’t enabling TLSv1.2 properly? It should be from the looks of it, but I don’t know OpenSSL well enough.
Ah, sorry, I overlooked that you already mentioned that option …
What IRC client are you using? I get the same error when connecting using irssi, but I'm unable to reproduce using openssl s_client
.
I am also unable to reproduce this bug with ircii. That being said, this also isn't just a bug in irssi, as irssi has no trouble connecting to other IRC servers with similar certificates, so there's a combination of something happening in irssi + something happening in ngircd.