[dev.icinga.com #13453] EC/ECDSA elliptic curve not usable on Debian jessie

[icinga-migration]

This issue has been migrated from Redmine: https://dev.icinga.com/issues/13453

Created by mfrosch on 2016-12-07 10:25:50 +00:00

Assignee: (none)
Status: New
Target Version: (none)
Last Update: 2016-12-12 13:04:31 +00:00 (in Redmine)

Icinga Version: 2.6.0-dev
Backport?: Not yet backported
Include in Changelog: 1

---

Tested the cipher_list feature on a Debian 8.

When you set a cipher list like this:

cipher_list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"

Icinga 2 can't connect to each other:

2016-12-07 10:22:14 +0000] warning/TlsStream: OpenSSL error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
[2016-12-07 10:22:14 +0000] critical/ApiListener: Client TLS handshake failed (from [192.168.33.12]:59739)

Apache httpd on the same system uses ECDSA with my browser.

When I use an intermediate list like follows, the first non-EC cipher gets used.

cipher_list = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"

From Wireshark:

Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

---

Relations:

• relates #13453

[icinga-migration]

Updated by mfrosch on 2016-12-07 10:28:00 +00:00

• Subject changed from EC/ECDSA eliptic curve not usable on a Debian jessie to EC/ECDSA elliptic curve not usable on a Debian jessie

[icinga-migration]

Updated by mfrosch on 2016-12-07 10:30:51 +00:00

My example uses ECDHE, which allows RSA public keys and generates a elliptic curve on connection: https://security.stackexchange.com/questions/73880/why-does-my-openssl-connection-fail-with-elliptic-curve-cipher-ecdh-rsa-aes128-s/73882#73882

[icinga-migration]

Updated by kobmaki on 2016-12-11 18:18:29 +00:00

Problem of connection

Your first cipher list outputs an empty cipher list. In this case, it is correct from the ApiListener as
the key exchange parameter ecdh is not set, and actually it is not possible to set with the ApiListener configuration.

Neither the default dh-parameter nor the ecdh-parameter is active or usable.

Background infos

Now some background infos.

Ciphers with sslscan

An sslscan.static (newer version, self compiled as static, Version: 1.11.8-rbsec-2-g13a8cfa-static) shows the following output:

monmaki@kob-deb:~$ sslscan.static deb-icinga-test:5665
Version: 1.11.8-rbsec-2-g13a8cfa-static
OpenSSL 1.0.2i-dev  xx XXX xxxx

Testing SSL server deb-icinga-test on port 5665

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
monmaki@kob-deb:~$ 

No supported ciphers.

Create a server.pem for openssl test

Test with openssl, prepare the pem-file (server.pem):

cd /etc/icinga2/pki
cp -a `icinga2  variable get NodeName`.key /tmp/server.pem
cat `icinga2  variable get NodeName`.crt >> /tmp/server.pem
cd /tmp

Now you have a server.pem file

root@deb-icinga-test:/tmp# ls -l server.pem 
-rw------- 1 nagios nagios 4959 Dec 11 17:30 server.pem
root@deb-icinga-test:/tmp# 

Test the ciphers with openssl s_server on port 8443

root@deb-icinga-test:/tmp#
openssl s_server -serverpref -accept 8443 -www -cipher "ECDHE-ECDSA-AES256-GCM-SHA384\
:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305\
:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256\
:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384\
:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256\
:ECDHE-RSA-AES128-SHA256" 

give the following output:

Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT

As shown by the openssl dummy listener, the default "temp DH" and "temp ECDH" parameter is used.

Now the sslscan.static on the openssl s_server on port 8443

monmaki@kob-deb:~$ sslscan.static deb-icinga-test:8443
Version: 1.11.8-rbsec-2-g13a8cfa-static
OpenSSL 1.0.2i-dev  xx XXX xxxx

Testing SSL server deb-icinga-test on port 8443

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Session renegotiation not supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

  Supported Server Cipher(s):
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256 DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 DHE 256

  SSL Certificate:
Signature Algorithm: sha256WithRSAEncryption
RSA Key Strength:    4096

Subject:  deb-icinga-test.koboldmaki
Issuer:   Icinga CA

Not valid before: Jan 29 21:43:48 2016 GMT
Not valid after:  Jan 25 21:43:48 2031 GMT
monmaki@kob-deb:~

All ciphers require a ecdh for keyexchange (Kx=ECDH)

The command:

openssl ciphers -V 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256'

give the following output:

          0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
          0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
          0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
          0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256

That is the reason, why the EndPoints could not establish a connection to the ApiListener.

Docu links

Some links:

• https://en.wikibooks.org/wiki/OpenSSL/Diffie-Hellman\_parameters
• https://www.openssl.org/docs/man1.0.2/ssl/SSL\_set\_ecdh\_auto.html

[icinga-migration]

Updated by mfrosch on 2016-12-12 13:02:16 +00:00

• Relates set to 13521

[icinga-migration]

Updated by mfrosch on 2016-12-12 13:04:32 +00:00

@kobmaki Thanks for the doc pointers and explanation, never had to deal with EC in detail before.

[Crunsher]

Closed via #5555