Opened 6 years ago

Closed 6 years ago

#560 closed defect (invalid)

ECDSA server certificate

Reported by: Eugeny G. Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.4.x
Keywords: Cc:
uname -a: Linux fedorax64 3.13.9-200.fc20.x86_64 #1 SMP Fri Apr 4 12:13:05 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.4.7
built by gcc 4.8.2 20131212 (Red Hat 4.8.2-7) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-
client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi
--http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/run/nginx.pid --lock-path=/run/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_sp
dy_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-ht
tp_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_
stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-pcre --with-google_perftools_module --with-debug --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexcept
ions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -m64 -mtune=generic' --with-ld-opt='-Wl,-z,relro -specs=/usr/lib/rpm/redhat
/redhat-hardened-ld -Wl,-E'

Description

I tested ECDSA certificates with nginx and found it crashes

#0  0x00007fe08432f980 in EC_POINT_cmp () from /lib64/libcrypto.so.10
#1  0x00007fe08433877c in eckey_pub_cmp () from /lib64/libcrypto.so.10
#2  0x00007fe0843937a1 in X509_check_private_key () from /lib64/libcrypto.so.10
#3  0x00007fe0846ab560 in ssl_set_pkey () from /lib64/libssl.so.10
#4  0x00007fe0846ac5e6 in SSL_CTX_use_PrivateKey_file () from /lib64/libssl.so.10
#5  0x00007fe0851eed42 in ngx_ssl_certificate (cf=cf@entry=0x7fffaf0d4960, ssl=ssl@entry=0x7fe085cb9f98, cert=cert@entry=0x7fe085cb9fd8, key=key@entry=0x7fe085cb9fe8)
    at src/event/ngx_event_openssl.c:326
#6  0x00007fe0852420dd in ngx_http_ssl_merge_srv_conf (cf=0x7fffaf0d4960, parent=0x7fe085c94898, child=0x7fe085cb9f90) at src/http/modules/ngx_http_ssl_module.c:550
#7  0x00007fe0851f4dd4 in ngx_http_merge_servers (cmcf=0x7fe085c93d30, cmcf=0x7fe085c93d30, ctx_index=21, module=0x7fe0854a0900 <ngx_http_ssl_module_ctx>, cf=0x7fffaf0d4960)
    at src/http/ngx_http.c:584
#8  ngx_http_block (cf=0x7fffaf0d4960, cmd=<optimized out>, conf=<optimized out>) at src/http/ngx_http.c:270
#9  0x00007fe0851dac50 in ngx_conf_handler (last=1, cf=0x7fffaf0d4960) at src/core/ngx_conf_file.c:387
#10 ngx_conf_parse (cf=cf@entry=0x7fffaf0d4960, filename=filename@entry=0x7fe085c924e0) at src/core/ngx_conf_file.c:243
#11 0x00007fe0851d8314 in ngx_init_cycle (old_cycle=old_cycle@entry=0x7fffaf0d4b20) at src/core/ngx_cycle.c:268
#12 0x00007fe0851c99fb in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:333

SSL settings:

    server {
		listen       *:443;
		server_name fms.nginx.local;

		ssl on;
		ssl_client_certificate "ssl/ca.crt";
		ssl_certificate "ssl/web.crt";
		ssl_certificate_key ssl/web.key";
		ssl_verify_client on;

		...
	}

Attachments (1)

ssl.zip (2.4 KB ) - added by Eugeny G. 6 years ago.
testing ecdsa certs

Download all attachments as: .zip

Change History (2)

by Eugeny G., 6 years ago

Attachment: ssl.zip added

testing ecdsa certs

comment:1 by Maxim Dounin, 6 years ago

Resolution: invalid
Status: newclosed

Looks like problem in OpenSSL with the certificate you are trying to use (due to Russian chars in DN?), can be easily reproduced with:

openssl s_server -cert web.crt -key web.key

Try reporting this to OpenSSL team instead.

Note: See TracTickets for help on using tickets.