[erlang-questions] How to use ecdh self-signed cert files in R19.2 ssl app
赵 汉
botanyzh@REDACTED
Mon Feb 27 14:13:39 CET 2017
Hi !
With so many search In vain,
I can’t find the actual example through google , and I failed again and again with many procedures
Only the “…. -nodes rsa:1024…. ‘ somelike self-sign set of cert files can be use in otp’s ssl node to node communication
Below are the failed ones
Procedure1 succeed but failed to use in otp’s ssl
With aes256 encrypt generation
First to generate key csr and crt Root CA some like below
openssl genrsa -aes256 -out private/cakey.pem 1024
openssl req -new -key private/cakey.pem -out private/ca.csr -subj \
"/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myname"
openssl req -x509 -days 365 -sha1 -extensions v3_ca -signkey \
private/cakey.pem -in private/ca.csr -out certs/ca.cer
sign the server-side
openssl genrsa -aes256 -out private/server-key.pem 1024
openssl req -new -key private/server-key.pem -out private/server.csr -subj \
"/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myname"
openssl req -x509 -days 365 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem \
-CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer
Procedure2 succeed but failed to use in otp’s ssl
Openssl config file some like (may not actully be)
Openssl.cnf
[ ca ]
default_ca = CA_own
[ CA_own ]
certs = .
new_certs_dir = ./db/certs
database = ./db/index
serial = ./db/serial
RANDFILE = ./db/rand
certificate = ./ca.cert.pem
private_key = ./ca.key.pem
default_days = 7300
default_crl_days = 30
default_md = sha1
preserve = no
policy = policy_anything
extensions = v3_ca
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[ req ]
distinguished_name = req_distinguished_name
attributes = req_attributes
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = New York
localityName = Locality Name (eg, city)
localityName_default = New York0
organizationName = Organization Name (eg, company)
organizationName_default = Microsoft Corp.
organizationalUnitName = Organizational Unit Name (eg, section)
commonName = Common Name (eg, YOUR name)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
unstructuredName_default = Microsoft"
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always, issuer
basicConstraints = CA:true
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = rpslc_1@REDACTED
DNS.2 = rpslc_2@REDACTED
First to generate key csr and crt Root CA some like below
openssl genrsa -out CA.key.pem 2048
openssl req -x509 -new -nodes -key ca.key.pem -days 365 -out ca.cert.pem
openssl genpkey -genparam -algorithm EC -out ecdh.pem \
-pkeyopt ec_paramgen_curve:brainpoolP512r1
openssl req -nodes -new -newkey ec:ecdh.pem -keyout 1ecdh.key.pem -out 1ecdh.csr.pem
sign
openssl ca -in 1ecdh.csr.pem -out 1ecdh.crt.pem -config $CONF_FILE
and finally I get 8 files for 2 nodes to connect each other
ca.cert.pem
ecdh.pem
1ecdh.key.pem
1ecdh.csr.pem
1ecdh.crt.pem
2ecdh.key.pem
2ecdh.csr.pem
2ecdh.crt.pem
baseOptions from app gen_rpc
-define(SSL_DEFAULT_COMMON_OPTS, [binary,
{packet,0},
{header,0},
{exit_on_close,true},
{nodelay,true}, % Send our requests immediately
{send_timeout_close,true}, % When the socket times out, close the connection
{delay_send,false}, % Scheduler should favor timely delivery
{linger,{true,2}}, % Allow the socket to flush outgoing data for 2" before closing it - useful for casts
{reuseaddr,true}, % Reuse local port numbers
{keepalive,true}, % Keep our channel open
{tos,72}, % Deliver immediately
{active,false},
%% SSL options
{ciphers,["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
"ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384","ECDHE-ECDSA-DES-CBC3-SHA",
"ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
"ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384","DHE-DSS-AES256-SHA256",
"AES256-GCM-SHA384","AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
"ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256",
"ECDH-ECDSA-AES128-GCM-SHA256","ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
"ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256","DHE-DSS-AES128-SHA256","AES128-GCM-SHA256",
"AES128-SHA256","ECDHE-ECDSA-AES256-SHA","ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
"ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA","AES256-SHA","ECDHE-ECDSA-AES128-SHA",
"ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA","AES128-SHA"]},
{secure_renegotiate,true},
{reuse_sessions,true},
{versions,['tlsv1.2','tlsv1.1']},
{verify,verify_peer},
{hibernate_after,600000},
{active,false}]).
-define(SSL_DEFAULT_SERVER_OPTS, [{fail_if_no_peer_cert,true},
{log_alert,false},
{honor_cipher_order,true},
{client_renegotiation,true}]).
-define(SSL_DEFAULT_CLIENT_OPTS, [{server_name_indication,disable},
{depth,99}]).
And extra options
ssl_client_options: [
certfile: certfile,
keyfile: keyfile,
cacertfile: './priv/ssl/ca.cert.pem',
eccs: [:brainpoolP512r1]
],
ssl_server_options: [
certfile: certfile,
keyfile: keyfile,
cacertfile: './priv/ssl/ca.cert.pem',
eccs: [:brainpoolP512r1]
],
The two node are both in one centos system
And when I try to ssl:connect/4 , i get such error below:
“ tls_connection.erl:704:Fatal error: handshake failure - malformed_handshake_data”;
{tls_alert,"handshake failure"};
And when I try to openssl s_client with error below:
openssl s_client -connect 192.168.212.173:5370 -cert 2.crt.pem -key 2.key.pem -CAfile ca.cert.pem -cipher ECDH-RSA-AES256-GCM-SHA384 -debug
CONNECTED(00000003)
depth=1 C = CN, ST = cq, L = cq, O = s, OU = p, CN = botanyzh, emailAddress = botanyzh@REDACTED
verify return:1
depth=0 C = US, ST = Uniden, L = 00abcdef1234, O = sprt, OU = potato, CN = rpslc_1@REDACTED, emailAddress = botanyzh@REDACTED
verify return:1
140467656820416:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40
140467656820416:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
With extra “-debug”
write to 0x159aa30 [0x15acb00] (6 bytes => -1 (0xFFFFFFFFFFFFFFFF))
write:errno=32
Please help me
about the ssl’s source
the ecdh cert seems is not usable for otp's ssl
when i debuged i found that the ssl_connection:handle_peer_cert_key/5 call to public_key :generate_key/1 can never match
the public_key's interface is
generate_key(#'DHParameter'{prime = P, base = G}) ->
crypto:generate_key(dh, [P, G]);
generate_key({namedCurve, _} = Params) ->
ec_generate_key(Params);
generate_key(#'ECParameters'{} = Params) ->
ec_generate_key(Params).
but the arg called is {ecParameters, 'ECParameters'{} = Params}
发送自 Windows 10 版邮件<https://go.microsoft.com/fwlink/?LinkId=550986>应用
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20170227/eb0a7c26/attachment.htm>
More information about the erlang-questions
mailing list