Bug 1058776 - curl does not support ECDSA certificates
Summary: curl does not support ECDSA certificates
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: curl
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Kamil Dudka
QA Contact: Hubert Kario
URL:
Whiteboard:
Depends On: 1058767
Blocks: 1057566 1059670 1156426
TreeView+ depends on / blocked
 
Reported: 2014-01-28 14:04 UTC by Hubert Kario
Modified: 2014-10-24 12:40 UTC (History)
5 users (show)

Fixed In Version: curl-7.29.0-15.el7
Doc Type: Bug Fix
Doc Text:
Clone Of: 1058767
: 1156426 (view as bug list)
Environment:
Last Closed: 2014-06-13 13:08:33 UTC


Attachments (Terms of Use)

Description Hubert Kario 2014-01-28 14:04:10 UTC
Description of problem:
Curl is unable to connect over FTPS (not to be confused with SFTP, aka SCP) to vsftpd that uses ECDSA certificates.

Version-Release number of selected component (if applicable):
nss-3.15.4-4.el7.x86_64
curl-7.29.0-13.el7.x86_64
vsftpd-3.0.2-7.el7.x86_64
openssl-1.0.1e-29.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1. Configure vsftpd with SSL support, use ECDSA certificates
2. Set ssl_ciphers to ECDH-ECDSA-AES128-SHA
3. Connect to vsftp using curl

Actual results:
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to localhost port 21 (#0)
*   Trying ::1...
* Connected to localhost (::1) port 21 (#0)
< 220 (vsFTPd 3.0.2)
> AUTH SSL
< 234 Proceed with negotiation.
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/CA/certs/ca_cert.pem
  CApath: none
* NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
* Cannot communicate securely with peer: no common encryption algorithm(s).
* Error in TLS handshake, trying SSLv3...
> USER anonymous
< 500 OOPS: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher
* Access denied: 500
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (67) Cannot communicate securely with peer: no common encryption algorithm(s).

Expected results:
Connection negotiated using ECDH-ECDSA-AES128-SHA cipher suite

Additional info:
Connection using openssl s_client -starttls ftp -connect localhost:21 is successful:
New, TLSv1/SSLv3, Cipher is ECDH-ECDSA-AES128-SHA
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDH-ECDSA-AES128-SHA
    Session-ID: 1BBE8D6310629A180CD0E4D45FCD3C422563318041187AD0D0F576A834C7103F
    Session-ID-ctx: 
    Master-Key: 4A0A0F5DAAFFE63896BF436F37CDCC20BB262F56E701D1B6E2FC8C1C07C2423C4897A9A49CA9B88B1F97E015D317EC55
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 2a d3 d3 ae 71 2b 7c 07-8d 75 64 fb 6a 9a 7a b0   *...q+|..ud.j.z.
    0010 - fd 65 81 54 be ef 2a df-19 6f 56 99 5c 6d 2d 3f   .e.T..*..oV.\m-?
    0020 - 42 2d 7c 72 a9 a7 91 af-bd a4 72 9c 1a 95 5c ab   B-|r......r...\.
    0030 - ca 4a 90 91 52 b1 66 91-a3 af e0 f3 0a 08 a5 80   .J..R.f.........
    0040 - cc e9 27 68 f9 de 9f bc-bb d2 56 b4 ec e3 05 8f   ..'h......V.....
    0050 - 8d e7 f0 73 53 b6 14 86-23 75 45 6e 33 84 7b 64   ...sS...#uEn3.{d
    0060 - 80 16 18 4a 73 9a 2b 6e-47 02 24 51 91 d6 8d 75   ...Js.+nG.$Q...u
    0070 - a8 1e cd 19 81 ce a1 c8-49 ef 2d eb 36 1c 17 50   ........I.-.6..P
    0080 - bc 77 ab ae 07 1c b8 7b-4b 5c e9 ee d1 ab 72 51   .w.....{K\....rQ
    0090 - f3 31 c4 60 5c 6a 42 4c-d5 49 cd ee 77 47 bf 52   .1.`\jBL.I..wG.R

    Start Time: 1390916554
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
220 (vsFTPd 2.2.2)
DONE

Setting the cipher explicitly using `--ciphers` option is not supported too (either by using ECDH-ECDSA-AES128-SHA and "ecdh_ecdsa_aes_128_sha" names) and results in:
* About to connect() to localhost port 21 (#0)
*   Trying ::1... Connection refused
*   Trying 127.0.0.1... connected
* Connected to localhost (127.0.0.1) port 21 (#0)
< 220 (vsFTPd 2.2.2)
> AUTH SSL
< 234 Proceed with negotiation.
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* Unknown cipher in list: ecdh_ecdsa_aes_128_sha
* NSS error -5978
* Closing connection #0

curl: (59) Unknown cipher in list: ecdh_ecdsa_aes_128_sha

Comment 1 Kamil Dudka 2014-01-28 16:40:11 UTC
I tried the following prior to initiating the TLS handshake:

  for(i=0; i<SSL_NumImplementedCiphers; i++) {
    SSL_CipherPrefSet(model, SSL_ImplementedCiphers[i], PR_TRUE);
  }

... and it did not seem to change anything.  I will need to compile a debug build of NSS.

(In reply to Hubert Kario from comment #0)
> Connection using openssl s_client -starttls ftp -connect localhost:21 is
> successful:

I was unable to get the above working on my rawhide Fedora VM:

$ openssl s_client -starttls ftp -connect localhost:21
CONNECTED(00000003)
139800219838336:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 58 bytes and written 259 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---

Comment 2 Hubert Kario 2014-01-28 16:46:38 UTC
(In reply to Kamil Dudka from comment #1)
> (In reply to Hubert Kario from comment #0)
> > Connection using openssl s_client -starttls ftp -connect localhost:21 is
> > successful:
> 
> I was unable to get the above working on my rawhide Fedora VM:
> 
> $ openssl s_client -starttls ftp -connect localhost:21
> CONNECTED(00000003)
> 139800219838336:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure:s23_clnt.c:741:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 58 bytes and written 259 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> ---

in my test case, I'm adding the following to vsftpd.conf:
ssl_enable=yes
ssl_ciphers=ECDHE-ECDSA-AES128-SHA
allow_anon_ssl=YES
require_ssl_reuse=NO
ca_certs_file=<path to CA cert file>
rsa_cert_file=<path to server cert file>
rsa_private_key_file=<path to server key file>
ssl_tlsv1=YES

Comment 4 Kamil Dudka 2014-01-29 11:55:33 UTC
Thank you Hubert! The above test works fine on my el7 vm.  I will prepare a patch for curl to make the '--ciphers ecdh_ecdsa_aes_128_sha' option work as expected.

Comment 5 Kamil Dudka 2014-01-29 13:06:27 UTC
fixed upstream:

https://github.com/bagder/curl/compare/53940f883450...665c160f0a46

Comment 21 Ludek Smid 2014-06-13 13:08:33 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.


Note You need to log in before you can comment on or make changes to this bug.