[erlang-questions] How to use ecdh self-signed cert files in R19.2 ssl app

赵 汉 <>
Mon Feb 27 14:13:39 CET 2017


Hi !
With so many search In vain,
I can’t find the actual example through google , and I failed again and again with many procedures

Only  the     “…. -nodes rsa:1024…. ‘ somelike self-sign set of cert files can be use in otp’s ssl node to node  communication



Below are the  failed ones

Procedure1 succeed  but   failed to use in otp’s ssl



With aes256  encrypt generation



First to generate key csr and crt Root CA some like below



openssl genrsa -aes256 -out private/cakey.pem 1024



openssl req -new -key private/cakey.pem -out private/ca.csr -subj \

"/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myname"



openssl req -x509 -days 365 -sha1 -extensions v3_ca -signkey \

private/cakey.pem -in private/ca.csr -out certs/ca.cer

sign the server-side

openssl genrsa -aes256 -out private/server-key.pem 1024



openssl req -new -key private/server-key.pem -out private/server.csr -subj \

"/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myname"



openssl req -x509 -days 365 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem \

-CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer



Procedure2 succeed  but   failed to use in otp’s ssl



Openssl  config file some like (may not actully be)

Openssl.cnf

[ ca ]

default_ca = CA_own

[ CA_own ]

certs = .

new_certs_dir = ./db/certs

database = ./db/index

serial = ./db/serial

RANDFILE = ./db/rand

certificate = ./ca.cert.pem

private_key = ./ca.key.pem

default_days = 7300

default_crl_days = 30

default_md = sha1

preserve = no

policy = policy_anything

extensions = v3_ca

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

[ req ]

distinguished_name = req_distinguished_name

attributes = req_attributes

req_extensions = v3_req



[ req_distinguished_name ]

countryName = Country Name (2 letter code)

countryName_default = US

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = New York

localityName = Locality Name (eg, city)

localityName_default = New York0

organizationName = Organization Name (eg, company)

organizationName_default = Microsoft Corp.

organizationalUnitName = Organizational Unit Name (eg, section)

commonName = Common Name (eg, YOUR name)

commonName_max = 64

emailAddress = Email Address

emailAddress_max = 64

[ req_attributes ]

challengePassword = A challenge password

challengePassword_min = 4

challengePassword_max = 20

unstructuredName = An optional company name

unstructuredName_default = Microsoft"



[ v3_ca ]

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always, issuer

basicConstraints = CA:true





[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names



[alt_names]

DNS.1 = 

DNS.2 = 



First to generate key csr and crt Root CA some like below

openssl genrsa -out CA.key.pem 2048


openssl req -x509 -new -nodes -key ca.key.pem -days 365 -out ca.cert.pem








openssl genpkey -genparam -algorithm EC -out ecdh.pem \


                                        -pkeyopt ec_paramgen_curve:brainpoolP512r1





openssl req   -nodes  -new -newkey ec:ecdh.pem   -keyout  1ecdh.key.pem -out 1ecdh.csr.pem


sign

openssl ca -in 1ecdh.csr.pem  -out 1ecdh.crt.pem -config $CONF_FILE


and finally I get 8 files for 2 nodes to connect each other
ca.cert.pem
ecdh.pem
1ecdh.key.pem
1ecdh.csr.pem
1ecdh.crt.pem
2ecdh.key.pem
2ecdh.csr.pem
2ecdh.crt.pem

baseOptions from app gen_rpc

-define(SSL_DEFAULT_COMMON_OPTS, [binary,


        {packet,0},


        {header,0},


        {exit_on_close,true},


        {nodelay,true}, % Send our requests immediately


        {send_timeout_close,true}, % When the socket times out, close the connection


        {delay_send,false}, % Scheduler should favor timely delivery


        {linger,{true,2}}, % Allow the socket to flush outgoing data for 2" before closing it - useful for casts


        {reuseaddr,true}, % Reuse local port numbers


        {keepalive,true}, % Keep our channel open


        {tos,72}, % Deliver immediately


        {active,false},


        %% SSL options


        {ciphers,["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",


                  "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384","ECDHE-ECDSA-DES-CBC3-SHA",


                  "ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",


                  "ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384","DHE-DSS-AES256-SHA256",


                  "AES256-GCM-SHA384","AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",


                  "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256",


                  "ECDH-ECDSA-AES128-GCM-SHA256","ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",


                  "ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256","DHE-DSS-AES128-SHA256","AES128-GCM-SHA256",


                  "AES128-SHA256","ECDHE-ECDSA-AES256-SHA","ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",


                  "ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA","AES256-SHA","ECDHE-ECDSA-AES128-SHA",


                  "ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA","AES128-SHA"]},


        {secure_renegotiate,true},


        {reuse_sessions,true},


        {versions,['tlsv1.2','tlsv1.1']},


        {verify,verify_peer},


        {hibernate_after,600000},


        {active,false}]).





-define(SSL_DEFAULT_SERVER_OPTS, [{fail_if_no_peer_cert,true},


        {log_alert,false},


        {honor_cipher_order,true},


        {client_renegotiation,true}]).





-define(SSL_DEFAULT_CLIENT_OPTS, [{server_name_indication,disable},


        {depth,99}]).


And extra options

ssl_client_options: [


            certfile: certfile,


            keyfile: keyfile,


            cacertfile: './priv/ssl/ca.cert.pem',


            eccs: [:brainpoolP512r1]





            ],


        ssl_server_options: [


            certfile: certfile,


            keyfile: keyfile,


            cacertfile: './priv/ssl/ca.cert.pem',


            eccs: [:brainpoolP512r1]





        ],


The two node are both in one centos system
And when I try to ssl:connect/4 , i get such error below:

“ tls_connection.erl:704:Fatal error: handshake failure - malformed_handshake_data”;





{tls_alert,"handshake failure"};


And when I try to openssl s_client with error below:

openssl s_client -connect 192.168.212.173:5370  -cert 2.crt.pem -key 2.key.pem   -CAfile ca.cert.pem -cipher ECDH-RSA-AES256-GCM-SHA384  -debug


CONNECTED(00000003)


depth=1 C = CN, ST = cq, L = cq, O = s, OU = p, CN = botanyzh, emailAddress = 


verify return:1


depth=0 C = US, ST = Uniden, L = 00abcdef1234, O = sprt, OU = potato, CN = , emailAddress = 


verify return:1


140467656820416:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40


140467656820416:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:





With extra  “-debug”


write to 0x159aa30 [0x15acb00] (6 bytes => -1 (0xFFFFFFFFFFFFFFFF))


write:errno=32


Please help me

about the ssl’s source
the ecdh cert seems is not usable for otp's ssl
when i debuged i found that the ssl_connection:handle_peer_cert_key/5 call to public_key :generate_key/1 can never match

the public_key's interface is

generate_key(#'DHParameter'{prime = P, base = G}) ->


crypto:generate_key(dh, [P, G]);


generate_key({namedCurve, _} = Params) ->


ec_generate_key(Params);


generate_key(#'ECParameters'{} = Params) ->


ec_generate_key(Params).


but the arg called is {ecParameters, 'ECParameters'{} = Params}



发送自 Windows 10 版邮件<https://go.microsoft.com/fwlink/?LinkId=550986>应用

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20170227/eb0a7c26/attachment.html>


More information about the erlang-questions mailing list