#715 closed defect (invalid)
Elliptic curve detected wrongly
| Reported by: | Forst | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.7.x |
| Keywords: | ssl, ecdsa, ec | Cc: | |
| uname -a: | Linux beaver 3.13.0-44-generic #73-Ubuntu SMP Tue Dec 16 00:22:43 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.7.9
built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6 |
||
Description
Trying to enable client certificate authentication. All the certificates are using ECDSA with secp384r1 as the curve. However, client certificates aren't accepted with the following error:
[emerg] 41963#0: Unknown curve name "prime384r1" (SSL:)
It seems that the curve name is detected wrongly.
I have also tried setting "prime384r1" as "ssl_ecdh_curve", which predictably failed. However, setting it to "secp384r1" works perfectly.
Attached is a certificate that causes the problem. It was generated using openssl that was bundled with xca.
This has been tested on the version from the official Ubuntu .deb package.
Attachments (1)
Change History (5)
by , 9 years ago
comment:1 by , 9 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
The error message provided is generated if you use an unknown curve name in the ssl_ecdh_curve directive. This message is not generated in any other cases. If you have problems with certificates, they are elsewhere.
comment:2 by , 9 years ago
I am using secp384r1 as the ssl_ecdh_curve, nginx starts successfully with this setting. However, I still encounter an error with the client certificate's curve. prime384r1 curve doesn't exist at all (simple Googling confirms this), so this is a bug in my opinion. Is it OpenSSL-related?
comment:3 by , 9 years ago
As previously said, the message is generated when you write an unknown name ("prime384r1" in this case) in the ssl_ecdh_curve directive. It's not something nginx "detects" by itself, it's what you wrote in the configuration file.
comment:4 by , 9 years ago
Ah, I'm sorry about that, indeed the error is from the time when I used prime384r1 as the value.
The certificate error I saw though was caused by CRL being inaccessible for some reason. Expected this to be logged as "error", yet it was in "info", that's why I didn't see it in the first place.
Sample certificate