View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005104 | unreal | ircd | public | 2018-06-16 08:04 | 2018-06-21 08:02 |
| Reporter | syzop | Assigned To | syzop | ||
| Priority | normal | Severity | major | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.0.18 | ||||
| Target Version | 4.0.18 | Fixed in Version | 4.0.18 | ||
| Summary | 0005104: Cannot connect to SSL port: No shared ciphers | ||||
| Description | With the strict configuration, where only TLSv1.2+ is allowed and ECDHE is required, clients cannot connect if the server is Ubuntu 16.04. Example: irc2.unrealircd.org | ||||
| Tags | No tags attached. | ||||
| 3rd party modules | |||||
|
|
It seems something goes wrong with the ECDH curves (so this also applies to default configurations, they would miss out on ECDHE but can still connect) syzop@irc2:~/unrealircd$ openssl version OpenSSL 1.0.2g 1 Mar 2016 Breakpoint 1, init_ctx (ssloptions=0x5555559609a0, server=1) at ssl.c:387 387 if (ssloptions->ecdh_curves) (gdb) p ssloptions->ecdh_curves $1 = 0x555555960bb0 "secp521r1:secp384r1:prime256v1" (gdb) n 390 if (!SSL_CTX_set1_curves_list(ctx, ssloptions->ecdh_curves)) (gdb) n 430 SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE|SSL_OP_SINGLE_DH_USE); (gdb) So this is in: #ifdef HAS_SSL_CTX_SET1_CURVES_LIST if (!SSL_CTX_set1_curves_list(ctx, ssloptions->ecdh_curves)) { config_warn("Failed to apply ecdh-curves '%s'. " "To get a list of supported curves with the " "appropriate names, run " "'openssl ecparam -list_curves' on the server. " "Separate multiple curves by colon, " "for example: ecdh-curves \"secp521r1:secp384r1\".", ssloptions->ecdh_curves); config_report_ssl_error(); goto fail; } [..] I wonder if SSL_CTX_set1_curves_list(ctx, ssloptions->ecdh_curves) returns no error message (yes this is the case, no error) but it will still fail miserably when the client connects. That would mean we cannot trust the return value and the code would need an update. Let's test :) |
|
|
Breakpoint 1, init_ctx (ssloptions=0x5555559609a0, server=1) at ssl.c:387 387 if (ssloptions->ecdh_curves) (gdb) n 391 if (!SSL_CTX_set1_curves_list(ctx, "thisisgarbage")) (gdb) 393 config_warn("Failed to apply ecdh-curves '%s'. " (gdb) [warning] Failed to apply ecdh-curves 'secp521r1:secp384r1:prime256v1'. To get a list of supported curves with the appropriate names, run 'openssl ecparam -list_curves' on the server. Separate multiple curves by colon, for example: ecdh-curves "secp521r1:secp384r1". 400 config_report_ssl_error(); Ok, wasn't that easy :) |
|
|
I tried all 3 with just one cipher: secp521r1 secp384r1 prime256v1 All cause failure to connect. |
|
|
Ah ok, I got it... 1.0.x still needs the SSL_CTX_set_ecdh_auto() even if you use SSL_CTX_set1_curves_list(). That's understandable.. I'll adjust the code. |
|
|
Fixed in 4.0.18-rc2 |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2018-06-16 08:04 | syzop | New Issue | |
| 2018-06-16 08:04 | syzop | Status | new => assigned |
| 2018-06-16 08:04 | syzop | Assigned To | => syzop |
| 2018-06-16 08:06 | syzop | Note Added: 0020158 | |
| 2018-06-16 08:07 | syzop | Note Added: 0020159 | |
| 2018-06-16 08:09 | syzop | Note Added: 0020160 | |
| 2018-06-16 08:16 | syzop | Note Added: 0020161 | |
| 2018-06-21 08:02 | syzop | Status | assigned => resolved |
| 2018-06-21 08:02 | syzop | Resolution | open => fixed |
| 2018-06-21 08:02 | syzop | Fixed in Version | => 4.0.18 |
| 2018-06-21 08:02 | syzop | Note Added: 0020173 |
