Opened 5 years ago

Closed 5 years ago

Last modified 5 years ago

#715 closed defect (invalid)

Elliptic curve detected wrongly

Reported by: launchpad.net/~basicxp Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.7.x
Keywords: ssl, ecdsa, ec Cc:
uname -a: Linux beaver 3.13.0-44-generic #73-Ubuntu SMP Tue Dec 16 00:22:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.7.9 built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6

Description

Trying to enable client certificate authentication. All the certificates are using ECDSA with secp384r1 as the curve. However, client certificates aren't accepted with the following error:

[emerg] 41963#0: Unknown curve name "prime384r1" (SSL:)

It seems that the curve name is detected wrongly.

I have also tried setting "prime384r1" as "ssl_ecdh_curve", which predictably failed. However, setting it to "secp384r1" works perfectly.

Attached is a certificate that causes the problem. It was generated using openssl that was bundled with xca.

This has been tested on the version from the official Ubuntu .deb package.

Attachments (1)

Shark.crt (1.5 KB) - added by launchpad.net/~basicxp 5 years ago.
Sample certificate

Download all attachments as: .zip

Change History (5)

Changed 5 years ago by launchpad.net/~basicxp

Sample certificate

comment:1 Changed 5 years ago by mdounin

  • Resolution set to invalid
  • Status changed from new to closed

The error message provided is generated if you use an unknown curve name in the ssl_ecdh_curve directive. This message is not generated in any other cases. If you have problems with certificates, they are elsewhere.

comment:2 Changed 5 years ago by launchpad.net/~basicxp

I am using secp384r1 as the ssl_ecdh_curve, nginx starts successfully with this setting. However, I still encounter an error with the client certificate's curve. prime384r1 curve doesn't exist at all (simple Googling confirms this), so this is a bug in my opinion. Is it OpenSSL-related?

comment:3 Changed 5 years ago by mdounin

As previously said, the message is generated when you write an unknown name ("prime384r1" in this case) in the ssl_ecdh_curve directive. It's not something nginx "detects" by itself, it's what you wrote in the configuration file.

comment:4 Changed 5 years ago by launchpad.net/~basicxp

Ah, I'm sorry about that, indeed the error is from the time when I used prime384r1 as the value.

The certificate error I saw though was caused by CRL being inaccessible for some reason. Expected this to be logged as "error", yet it was in "info", that's why I didn't see it in the first place.

Note: See TracTickets for help on using tickets.