Red Hat Bugzilla – Bug 1058767
curl does not support ECDSA certificates
Last modified: 2015-07-22 01:43:21 EDT
Description of problem: Curl is unable to connect over FTPS (not to be confused with SFTP, aka SCP) to vsftpd that uses ECDSA certificates. Version-Release number of selected component (if applicable): curl-7.19.7-37.el6_4.x86_64 vsftpd-2.2.2-11.el6_4.1.x86_64 openssl-1.0.1e-15.el6.x86_64 nss-3.15.1-15.el6.x86_64 How reproducible: always Steps to Reproduce: 1. Configure vsftpd with SSL support, use ECDSA certificates 2. Set ssl_ciphers to ECDH-ECDSA-AES128-SHA 3. Connect to vsftp using curl Actual results: * About to connect() to localhost port 21 (#0) * Trying ::1... Connection refused * Trying 127.0.0.1... connected * Connected to localhost (127.0.0.1) port 21 (#0) < 220 (vsFTPd 2.2.2) > AUTH SSL < 234 Proceed with negotiation. * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/CA/certs/ca_cert.pem CApath: none * NSS error -12286 * Error in TLS handshake, trying SSLv3... > USER anonymous < 500 OOPS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher * Access denied: 500 * Closing connection #0 curl: (67) Access denied: 500 Expected results: Connection negotiated using ECDH-ECDSA-AES128-SHA cipher suite Additional info: Connection using openssl s_client -starttls ftp -connect localhost:21 is successful: New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES128-SHA Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDH-ECDSA-AES128-SHA Session-ID: 1BBE8D6310629A180CD0E4D45FCD3C422563318041187AD0D0F576A834C7103F Session-ID-ctx: Master-Key: 4A0A0F5DAAFFE63896BF436F37CDCC20BB262F56E701D1B6E2FC8C1C07C2423C4897A9A49CA9B88B1F97E015D317EC55 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - 2a d3 d3 ae 71 2b 7c 07-8d 75 64 fb 6a 9a 7a b0 *...q+|..ud.j.z. 0010 - fd 65 81 54 be ef 2a df-19 6f 56 99 5c 6d 2d 3f .e.T..*..oV.\m-? 0020 - 42 2d 7c 72 a9 a7 91 af-bd a4 72 9c 1a 95 5c ab B-|r......r...\. 0030 - ca 4a 90 91 52 b1 66 91-a3 af e0 f3 0a 08 a5 80 .J..R.f......... 0040 - cc e9 27 68 f9 de 9f bc-bb d2 56 b4 ec e3 05 8f ..'h......V..... 0050 - 8d e7 f0 73 53 b6 14 86-23 75 45 6e 33 84 7b 64 ...sS...#uEn3.{d 0060 - 80 16 18 4a 73 9a 2b 6e-47 02 24 51 91 d6 8d 75 ...Js.+nG.$Q...u 0070 - a8 1e cd 19 81 ce a1 c8-49 ef 2d eb 36 1c 17 50 ........I.-.6..P 0080 - bc 77 ab ae 07 1c b8 7b-4b 5c e9 ee d1 ab 72 51 .w.....{K\....rQ 0090 - f3 31 c4 60 5c 6a 42 4c-d5 49 cd ee 77 47 bf 52 .1.`\jBL.I..wG.R Start Time: 1390916554 Timeout : 300 (sec) Verify return code: 0 (ok) --- 220 (vsFTPd 2.2.2) DONE Setting the cipher explicitly using `--ciphers` option is not supported too (either by using ECDH-ECDSA-AES128-SHA and "ecdh_ecdsa_aes_128_sha" names) and results in: * About to connect() to localhost port 21 (#0) * Trying ::1... Connection refused * Trying 127.0.0.1... connected * Connected to localhost (127.0.0.1) port 21 (#0) < 220 (vsFTPd 2.2.2) > AUTH SSL < 234 Proceed with negotiation. * Initializing NSS with certpath: sql:/etc/pki/nssdb * Unknown cipher in list: ecdh_ecdsa_aes_128_sha * NSS error -5978 * Closing connection #0 curl: (59) Unknown cipher in list: ecdh_ecdsa_aes_128_sha
*** Bug 1156426 has been marked as a duplicate of this bug. ***
*** Bug 1222665 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1254.html