How to use ecdh self-signed cert files in R19.2 ssl app

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

How to use ecdh self-signed cert files in R19.2 ssl app

赵 汉

Hi ! 
With so many search In vain,
I can’t find the actual example through google , and I failed again and again with many procedures

Only  the     “…. -nodes rsa:1024…. ‘ somelike self-sign set of cert files can be use in otps ssl node to node  communication

 

Below are the  failed ones

Procedure1 succeed  but   failed to use in otps ssl

 

With aes256  encrypt generation

 

First to generate key csr and crt Root CA some like below

 

openssl genrsa -aes256 -out private/cakey.pem 1024

 

openssl req -new -key private/cakey.pem -out private/ca.csr -subj \

"/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myname"

 

openssl req -x509 -days 365 -sha1 -extensions v3_ca -signkey \

private/cakey.pem -in private/ca.csr -out certs/ca.cer

sign the server-side

openssl genrsa -aes256 -out private/server-key.pem 1024

 

openssl req -new -key private/server-key.pem -out private/server.csr -subj \

"/C=CN/ST=myprovince/L=mycity/O=myorganization/OU=mygroup/CN=myname"

 

openssl req -x509 -days 365 -sha1 -extensions v3_req -CA certs/ca.cer -CAkey private/cakey.pem \

-CAserial ca.srl -CAcreateserial -in private/server.csr -out certs/server.cer

 

Procedure2 succeed  but   failed to use in otps ssl

 

Openssl  config file some like (may not actully be)

Openssl.cnf

[ ca ]

default_ca = CA_own

[ CA_own ]

certs = .

new_certs_dir = ./db/certs

database = ./db/index

serial = ./db/serial

RANDFILE = ./db/rand

certificate = ./ca.cert.pem

private_key = ./ca.key.pem

default_days = 7300

default_crl_days = 30

default_md = sha1

preserve = no

policy = policy_anything

extensions = v3_ca

[ policy_anything ]

countryName = optional

stateOrProvinceName = optional

localityName = optional

organizationName = optional

organizationalUnitName = optional

commonName = supplied

emailAddress = optional

[ req ]

distinguished_name = req_distinguished_name

attributes = req_attributes

req_extensions = v3_req

 

[ req_distinguished_name ]

countryName = Country Name (2 letter code)

countryName_default = US

stateOrProvinceName = State or Province Name (full name)

stateOrProvinceName_default = New York

localityName = Locality Name (eg, city)

localityName_default = New York0

organizationName = Organization Name (eg, company)

organizationName_default = Microsoft Corp.

organizationalUnitName = Organizational Unit Name (eg, section)

commonName = Common Name (eg, YOUR name)

commonName_max = 64

emailAddress = Email Address

emailAddress_max = 64

[ req_attributes ]

challengePassword = A challenge password

challengePassword_min = 4

challengePassword_max = 20

unstructuredName = An optional company name

unstructuredName_default = Microsoft"

 

[ v3_ca ]

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always, issuer

basicConstraints = CA:true

 

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = nonRepudiation, digitalSignature, keyEncipherment

subjectAltName = @alt_names

 

[alt_names]

DNS.1 = rpslc_1@192.168.212.173

DNS.2 = rpslc_2@192.168.212.173

 

First to generate key csr and crt Root CA some like below

openssl genrsa -out CA.key.pem 2048
openssl req -x509 -new -nodes -key ca.key.pem -days 365 -out ca.cert.pem
 
 
openssl genpkey -genparam -algorithm EC -out ecdh.pem \
                                        -pkeyopt ec_paramgen_curve:brainpoolP512r1
 
openssl req   -nodes  -new -newkey ec:ecdh.pem   -keyout  1ecdh.key.pem -out 1ecdh.csr.pem

sign

openssl ca -in 1ecdh.csr.pem  -out 1ecdh.crt.pem -config $CONF_FILE

and finally I get 8 files for 2 nodes to connect each other
ca.cert.pem
ecdh.pem
1ecdh.key.pem
1ecdh.csr.pem
1ecdh.crt.pem
2ecdh.key.pem
2ecdh.csr.pem
2ecdh.crt.pem

baseOptions from app gen_rpc

-define(SSL_DEFAULT_COMMON_OPTS, [binary,
        {packet,0},
        {header,0},
        {exit_on_close,true},
        {nodelay,true}, % Send our requests immediately
        {send_timeout_close,true}, % When the socket times out, close the connection
        {delay_send,false}, % Scheduler should favor timely delivery
        {linger,{true,2}}, % Allow the socket to flush outgoing data for 2" before closing it - useful for casts
        {reuseaddr,true}, % Reuse local port numbers
        {keepalive,true}, % Keep our channel open
        {tos,72}, % Deliver immediately
        {active,false},
        %% SSL options
        {ciphers,["ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384",
                  "ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384","ECDHE-ECDSA-DES-CBC3-SHA",
                  "ECDH-ECDSA-AES256-GCM-SHA384","ECDH-RSA-AES256-GCM-SHA384","ECDH-ECDSA-AES256-SHA384",
                  "ECDH-RSA-AES256-SHA384","DHE-DSS-AES256-GCM-SHA384","DHE-DSS-AES256-SHA256",
                  "AES256-GCM-SHA384","AES256-SHA256","ECDHE-ECDSA-AES128-GCM-SHA256",
                  "ECDHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256",
                  "ECDH-ECDSA-AES128-GCM-SHA256","ECDH-RSA-AES128-GCM-SHA256","ECDH-ECDSA-AES128-SHA256",
                  "ECDH-RSA-AES128-SHA256","DHE-DSS-AES128-GCM-SHA256","DHE-DSS-AES128-SHA256","AES128-GCM-SHA256",
                  "AES128-SHA256","ECDHE-ECDSA-AES256-SHA","ECDHE-RSA-AES256-SHA","DHE-DSS-AES256-SHA",
                  "ECDH-ECDSA-AES256-SHA","ECDH-RSA-AES256-SHA","AES256-SHA","ECDHE-ECDSA-AES128-SHA",
                  "ECDHE-RSA-AES128-SHA","DHE-DSS-AES128-SHA","ECDH-ECDSA-AES128-SHA","ECDH-RSA-AES128-SHA","AES128-SHA"]},
        {secure_renegotiate,true},
        {reuse_sessions,true},
        {versions,['tlsv1.2','tlsv1.1']},
        {verify,verify_peer},
        {hibernate_after,600000},
        {active,false}]).
 
-define(SSL_DEFAULT_SERVER_OPTS, [{fail_if_no_peer_cert,true},
        {log_alert,false},
        {honor_cipher_order,true},
        {client_renegotiation,true}]).
 
-define(SSL_DEFAULT_CLIENT_OPTS, [{server_name_indication,disable},
        {depth,99}]).

And extra options

ssl_client_options: [
            certfile: certfile,
            keyfile: keyfile,
            cacertfile: './priv/ssl/ca.cert.pem',
            eccs: [:brainpoolP512r1]
          
            ],
        ssl_server_options: [
            certfile: certfile,
            keyfile: keyfile,
            cacertfile: './priv/ssl/ca.cert.pem',
            eccs: [:brainpoolP512r1]
        
        ],

The two node are both in one centos system 
And when I try to ssl:connect/4 , i get such error below:

tls_connection.erl:704:Fatal error: handshake failure - malformed_handshake_data;
 
{tls_alert,"handshake failure"};

And when I try to openssl s_client with error below:

openssl s_client -connect 192.168.212.173:5370  -cert 2.crt.pem -key 2.key.pem   -CAfile ca.cert.pem -cipher ECDH-RSA-AES256-GCM-SHA384  -debug
CONNECTED(00000003)
depth=1 C = CN, ST = cq, L = cq, O = s, OU = p, CN = botanyzh, emailAddress = [hidden email]
verify return:1
depth=0 C = US, ST = Uniden, L = 00abcdef1234, O = sprt, OU = potato, CN = rpslc_1@192.168.212.173, emailAddress = [hidden email]
verify return:1
140467656820416:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1493:SSL alert number 40
140467656820416:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
 
With extra  -debug
write to 0x159aa30 [0x15acb00] (6 bytes => -1 (0xFFFFFFFFFFFFFFFF))
write:errno=32

Please help me

about the ssl’s source
the ecdh cert seems is not usable for otp's ssl
when i debuged i found that the ssl_connection:handle_peer_cert_key/5 call to public_key :generate_key/1 can never match

the public_key's interface is

generate_key(#'DHParameter'{prime = P, base = G}) ->
crypto:generate_key(dh, [P, G]);
generate_key({namedCurve, _} = Params) ->
ec_generate_key(Params);
generate_key(#'ECParameters'{} = Params) ->
ec_generate_key(Params).

but the arg called is {ecParameters, 'ECParameters'{} = Params}

 

 

 

发送自 Windows 10 邮件应用

 


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions