Bug 1058767

Summary: curl does not support ECDSA certificates
Product: Red Hat Enterprise Linux 6 Reporter: Hubert Kario <hkario>
Component: curlAssignee: Kamil Dudka <kdudka>
Status: CLOSED ERRATA QA Contact: Stefan Kremen <skremen>
Severity: high Docs Contact:
Priority: high    
Version: 6.5CC: mdshaikh, mmckinst, mpoole, ovasik, rhowe, rmainz
Target Milestone: rcKeywords: Patch
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: curl-7.19.7-43.el6 Doc Type: Enhancement
Doc Text:
With the updated packages, it is possible to explicitly enable/disable ECC (Elliptic Curve Cryptography) cipher-suites to be used for TLS.
 Story Points: ---
Clone Of:
: 1058776 (view as bug list) Environment:
Last Closed: 2015-07-22 05:43:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1057564, 1058776, 1059670, 1059682, 1156426    

Description Hubert Kario 2014-01-28 13:54:24 UTC 
Description of problem:
Curl is unable to connect over FTPS (not to be confused with SFTP, aka SCP) to vsftpd that uses ECDSA certificates.

Version-Release number of selected component (if applicable):
curl-7.19.7-37.el6_4.x86_64
vsftpd-2.2.2-11.el6_4.1.x86_64
openssl-1.0.1e-15.el6.x86_64
nss-3.15.1-15.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Configure vsftpd with SSL support, use ECDSA certificates
2. Set ssl_ciphers to ECDH-ECDSA-AES128-SHA
3. Connect to vsftp using curl

Actual results:
* About to connect() to localhost port 21 (#0)
*   Trying ::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 21 (#0)
< 220 (vsFTPd 2.2.2)
> AUTH SSL
< 234 Proceed with negotiation.
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/CA/certs/ca_cert.pem
  CApath: none
* NSS error -12286
* Error in TLS handshake, trying SSLv3...
> USER anonymous
< 500 OOPS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
* Access denied: 500
* Closing connection #0

curl: (67) Access denied: 500

Expected results:
Connection negotiated using ECDH-ECDSA-AES128-SHA cipher suite

Additional info:
Connection using openssl s_client -starttls ftp -connect localhost:21 is successful:
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES128-SHA
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDH-ECDSA-AES128-SHA
    Session-ID: 1BBE8D6310629A180CD0E4D45FCD3C422563318041187AD0D0F576A834C7103F
    Session-ID-ctx: 
    Master-Key: 4A0A0F5DAAFFE63896BF436F37CDCC20BB262F56E701D1B6E2FC8C1C07C2423C4897A9A49CA9B88B1F97E015D317EC55
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 2a d3 d3 ae 71 2b 7c 07-8d 75 64 fb 6a 9a 7a b0   *...q+|..ud.j.z.
    0010 - fd 65 81 54 be ef 2a df-19 6f 56 99 5c 6d 2d 3f   .e.T..*..oV.\m-?
    0020 - 42 2d 7c 72 a9 a7 91 af-bd a4 72 9c 1a 95 5c ab   B-|r......r...\.
    0030 - ca 4a 90 91 52 b1 66 91-a3 af e0 f3 0a 08 a5 80   .J..R.f.........
    0040 - cc e9 27 68 f9 de 9f bc-bb d2 56 b4 ec e3 05 8f   ..'h......V.....
    0050 - 8d e7 f0 73 53 b6 14 86-23 75 45 6e 33 84 7b 64   ...sS...#uEn3.{d
    0060 - 80 16 18 4a 73 9a 2b 6e-47 02 24 51 91 d6 8d 75   ...Js.+nG.$Q...u
    0070 - a8 1e cd 19 81 ce a1 c8-49 ef 2d eb 36 1c 17 50   ........I.-.6..P
    0080 - bc 77 ab ae 07 1c b8 7b-4b 5c e9 ee d1 ab 72 51   .w.....{K\....rQ
    0090 - f3 31 c4 60 5c 6a 42 4c-d5 49 cd ee 77 47 bf 52   .1.`\jBL.I..wG.R

    Start Time: 1390916554
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
220 (vsFTPd 2.2.2)
DONE

Setting the cipher explicitly using `--ciphers` option is not supported too (either by using ECDH-ECDSA-AES128-SHA and "ecdh_ecdsa_aes_128_sha" names) and results in:
* About to connect() to localhost port 21 (#0)
*   Trying ::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 21 (#0)
< 220 (vsFTPd 2.2.2)
> AUTH SSL
< 234 Proceed with negotiation.
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Unknown cipher in list: ecdh_ecdsa_aes_128_sha
* NSS error -5978
* Closing connection #0

curl: (59) Unknown cipher in list: ecdh_ecdsa_aes_128_sha
Comment 2 Kamil Dudka 2014-10-24 12:55:40 UTC 
*** Bug 1156426 has been marked as a duplicate of this bug. ***
Comment 9 Kamil Dudka 2015-05-22 15:56:40 UTC 
*** Bug 1222665 has been marked as a duplicate of this bug. ***
Comment 11 errata-xmlrpc 2015-07-22 05:43:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-1254.html