Opened 11 years ago
Closed 11 years ago
#560 closed defect (invalid)
ECDSA server certificate
Reported by: | Eugeny G. | Owned by: | |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | nginx-core | Version: | 1.4.x |
Keywords: | Cc: | ||
uname -a: | Linux fedorax64 3.13.9-200.fc20.x86_64 #1 SMP Fri Apr 4 12:13:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | ||
nginx -V: |
nginx version: nginx/1.4.7
built by gcc 4.8.2 20131212 (Red Hat 4.8.2-7) (GCC) TLS SNI support enabled configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http- client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_sp dy_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-ht tp_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_ stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-pcre --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexcept ions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat /redhat-hardened-ld -Wl,-E' |
Description
I tested ECDSA certificates with nginx and found it crashes
#0 0x00007fe08432f980 in EC_POINT_cmp () from /lib64/libcrypto.so.10 #1 0x00007fe08433877c in eckey_pub_cmp () from /lib64/libcrypto.so.10 #2 0x00007fe0843937a1 in X509_check_private_key () from /lib64/libcrypto.so.10 #3 0x00007fe0846ab560 in ssl_set_pkey () from /lib64/libssl.so.10 #4 0x00007fe0846ac5e6 in SSL_CTX_use_PrivateKey_file () from /lib64/libssl.so.10 #5 0x00007fe0851eed42 in ngx_ssl_certificate (cf=cf@entry=0x7fffaf0d4960, ssl=ssl@entry=0x7fe085cb9f98, cert=cert@entry=0x7fe085cb9fd8, key=key@entry=0x7fe085cb9fe8) at src/event/ngx_event_openssl.c:326 #6 0x00007fe0852420dd in ngx_http_ssl_merge_srv_conf (cf=0x7fffaf0d4960, parent=0x7fe085c94898, child=0x7fe085cb9f90) at src/http/modules/ngx_http_ssl_module.c:550 #7 0x00007fe0851f4dd4 in ngx_http_merge_servers (cmcf=0x7fe085c93d30, cmcf=0x7fe085c93d30, ctx_index=21, module=0x7fe0854a0900 <ngx_http_ssl_module_ctx>, cf=0x7fffaf0d4960) at src/http/ngx_http.c:584 #8 ngx_http_block (cf=0x7fffaf0d4960, cmd=<optimized out>, conf=<optimized out>) at src/http/ngx_http.c:270 #9 0x00007fe0851dac50 in ngx_conf_handler (last=1, cf=0x7fffaf0d4960) at src/core/ngx_conf_file.c:387 #10 ngx_conf_parse (cf=cf@entry=0x7fffaf0d4960, filename=filename@entry=0x7fe085c924e0) at src/core/ngx_conf_file.c:243 #11 0x00007fe0851d8314 in ngx_init_cycle (old_cycle=old_cycle@entry=0x7fffaf0d4b20) at src/core/ngx_cycle.c:268 #12 0x00007fe0851c99fb in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:333
SSL settings:
server { listen *:443; server_name fms.nginx.local; ssl on; ssl_client_certificate "ssl/ca.crt"; ssl_certificate "ssl/web.crt"; ssl_certificate_key ssl/web.key"; ssl_verify_client on; ... }
Attachments (1)
Change History (2)
by , 11 years ago
comment:1 by , 11 years ago
Resolution: | → invalid |
---|---|
Status: | new → closed |
Looks like problem in OpenSSL with the certificate you are trying to use (due to Russian chars in DN?), can be easily reproduced with:
openssl s_server -cert web.crt -key web.key
Try reporting this to OpenSSL team instead.
Note:
See TracTickets
for help on using tickets.
testing ecdsa certs