New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[dev.icinga.com #13453] EC/ECDSA elliptic curve not usable on Debian jessie #4844
Comments
Updated by mfrosch on 2016-12-07 10:28:00 +00:00
|
Updated by mfrosch on 2016-12-07 10:30:51 +00:00 My example uses ECDHE, which allows RSA public keys and generates a elliptic curve on connection: https://security.stackexchange.com/questions/73880/why-does-my-openssl-connection-fail-with-elliptic-curve-cipher-ecdh-rsa-aes128-s/73882#73882 |
Updated by kobmaki on 2016-12-11 18:18:29 +00:00 Problem of connectionYour first cipher list outputs an empty cipher list. In this case, it is correct from the ApiListener as Neither the default dh-parameter nor the ecdh-parameter is active or usable. Background infosNow some background infos. Ciphers with sslscanAn sslscan.static (newer version, self compiled as static, Version: 1.11.8-rbsec-2-g13a8cfa-static) shows the following output:
No supported ciphers. Create a server.pem for openssl testTest with openssl, prepare the pem-file (server.pem):
Now you have a server.pem file
Test the ciphers with openssl s_server on port 8443
give the following output:
As shown by the openssl dummy listener, the default "temp DH" and "temp ECDH" parameter is used. Now the sslscan.static on the openssl s_server on port 8443
All ciphers require a ecdh for keyexchange (Kx=ECDH) The command: openssl ciphers -V 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256' give the following output:
That is the reason, why the EndPoints could not establish a connection to the ApiListener. Docu linksSome links: |
Updated by mfrosch on 2016-12-12 13:02:16 +00:00
|
Updated by mfrosch on 2016-12-12 13:04:32 +00:00 @kobmaki Thanks for the doc pointers and explanation, never had to deal with EC in detail before. |
Closed via #5555 |
This issue has been migrated from Redmine: https://dev.icinga.com/issues/13453
Created by mfrosch on 2016-12-07 10:25:50 +00:00
Assignee: (none)
Status: New
Target Version: (none)
Last Update: 2016-12-12 13:04:31 +00:00 (in Redmine)
Tested the cipher_list feature on a Debian 8.
When you set a cipher list like this:
Icinga 2 can't connect to each other:
Apache httpd on the same system uses ECDSA with my browser.
When I use an intermediate list like follows, the first non-EC cipher gets used.
From Wireshark:
Relations:
The text was updated successfully, but these errors were encountered: