Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#715 closed defect (invalid)

Elliptic curve detected wrongly

Reported by: Forst Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.7.x
Keywords: ssl, ecdsa, ec Cc:
uname -a: Linux beaver 3.13.0-44-generic #73-Ubuntu SMP Tue Dec 16 00:22:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.7.9
built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/ --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6


Trying to enable client certificate authentication. All the certificates are using ECDSA with secp384r1 as the curve. However, client certificates aren't accepted with the following error:

[emerg] 41963#0: Unknown curve name "prime384r1" (SSL:)

It seems that the curve name is detected wrongly.

I have also tried setting "prime384r1" as "ssl_ecdh_curve", which predictably failed. However, setting it to "secp384r1" works perfectly.

Attached is a certificate that causes the problem. It was generated using openssl that was bundled with xca.

This has been tested on the version from the official Ubuntu .deb package.

Attachments (1)

Shark.crt (1.5 KB ) - added by Forst 5 years ago.
Sample certificate

Download all attachments as: .zip

Change History (5)

by Forst, 5 years ago

Attachment: Shark.crt added

Sample certificate

comment:1 by Maxim Dounin, 5 years ago

Resolution: invalid
Status: newclosed

The error message provided is generated if you use an unknown curve name in the ssl_ecdh_curve directive. This message is not generated in any other cases. If you have problems with certificates, they are elsewhere.

comment:2 by Forst, 5 years ago

I am using secp384r1 as the ssl_ecdh_curve, nginx starts successfully with this setting. However, I still encounter an error with the client certificate's curve. prime384r1 curve doesn't exist at all (simple Googling confirms this), so this is a bug in my opinion. Is it OpenSSL-related?

comment:3 by Maxim Dounin, 5 years ago

As previously said, the message is generated when you write an unknown name ("prime384r1" in this case) in the ssl_ecdh_curve directive. It's not something nginx "detects" by itself, it's what you wrote in the configuration file.

comment:4 by Forst, 5 years ago

Ah, I'm sorry about that, indeed the error is from the time when I used prime384r1 as the value.

The certificate error I saw though was caused by CRL being inaccessible for some reason. Expected this to be logged as "error", yet it was in "info", that's why I didn't see it in the first place.

Note: See TracTickets for help on using tickets.