View Issue Details

IDProjectCategoryView StatusLast Update
0005104unrealircdpublic2018-06-21 08:02
ReportersyzopAssigned Tosyzop 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.0.18 
Target Version4.0.18Fixed in Version4.0.18 
Summary0005104: Cannot connect to SSL port: No shared ciphers
DescriptionWith the strict configuration, where only TLSv1.2+ is allowed and ECDHE is required, clients cannot connect if the server is Ubuntu 16.04.
Example: irc2.unrealircd.org
TagsNo tags attached.
3rd party modules

Activities

syzop

2018-06-16 08:06

administrator   ~0020158

It seems something goes wrong with the ECDH curves (so this also applies to default configurations, they would miss out on ECDHE but can still connect)

syzop@irc2:~/unrealircd$ openssl version
OpenSSL 1.0.2g 1 Mar 2016

Breakpoint 1, init_ctx (ssloptions=0x5555559609a0, server=1) at ssl.c:387
387 if (ssloptions->ecdh_curves)
(gdb) p ssloptions->ecdh_curves
$1 = 0x555555960bb0 "secp521r1:secp384r1:prime256v1"
(gdb) n
390 if (!SSL_CTX_set1_curves_list(ctx, ssloptions->ecdh_curves))
(gdb) n
430 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE|SSL_OP_SINGLE_DH_USE);
(gdb)

So this is in:
#ifdef HAS_SSL_CTX_SET1_CURVES_LIST
                        if (!SSL_CTX_set1_curves_list(ctx, ssloptions->ecdh_curves))
                        {
                                config_warn("Failed to apply ecdh-curves '%s'. "
                                            "To get a list of supported curves with the "
                                            "appropriate names, run "
                                            "'openssl ecparam -list_curves' on the server. "
                                            "Separate multiple curves by colon, "
                                            "for example: ecdh-curves \"secp521r1:secp384r1\".",
                                            ssloptions->ecdh_curves);
                                config_report_ssl_error();
                                goto fail;
                        }
[..]


I wonder if SSL_CTX_set1_curves_list(ctx, ssloptions->ecdh_curves) returns no error message (yes this is the case, no error) but it will still fail miserably when the client connects. That would mean we cannot trust the return value and the code would need an update.
Let's test :)

syzop

2018-06-16 08:07

administrator   ~0020159

Breakpoint 1, init_ctx (ssloptions=0x5555559609a0, server=1) at ssl.c:387
387 if (ssloptions->ecdh_curves)
(gdb) n
391 if (!SSL_CTX_set1_curves_list(ctx, "thisisgarbage"))
(gdb)
393 config_warn("Failed to apply ecdh-curves '%s'. "
(gdb)
[warning] Failed to apply ecdh-curves 'secp521r1:secp384r1:prime256v1'. To get a list of supported curves with the appropriate names, run 'openssl ecparam -list_curves' on the server. Separate multiple curves by colon, for example: ecdh-curves "secp521r1:secp384r1".
400 config_report_ssl_error();

Ok, wasn't that easy :)

syzop

2018-06-16 08:09

administrator   ~0020160

I tried all 3 with just one cipher:
secp521r1
secp384r1
prime256v1
All cause failure to connect.

syzop

2018-06-16 08:16

administrator   ~0020161

Ah ok, I got it... 1.0.x still needs the SSL_CTX_set_ecdh_auto() even if you use SSL_CTX_set1_curves_list(). That's understandable.. I'll adjust the code.

syzop

2018-06-21 08:02

administrator   ~0020173

Fixed in 4.0.18-rc2

Issue History

Date Modified Username Field Change
2018-06-16 08:04 syzop New Issue
2018-06-16 08:04 syzop Status new => assigned
2018-06-16 08:04 syzop Assigned To => syzop
2018-06-16 08:06 syzop Note Added: 0020158
2018-06-16 08:07 syzop Note Added: 0020159
2018-06-16 08:09 syzop Note Added: 0020160
2018-06-16 08:16 syzop Note Added: 0020161
2018-06-21 08:02 syzop Status assigned => resolved
2018-06-21 08:02 syzop Resolution open => fixed
2018-06-21 08:02 syzop Fixed in Version => 4.0.18
2018-06-21 08:02 syzop Note Added: 0020173