Authenticated Origin Pulls: Bad handshake (wrong curve)

bug

#1

Hello,
I have been using Authenticated Origin Pulls for months without any issue but it stopped working when I upgraded my server. I think the upgrade to OpenSSL 1.1.1a triggered it. Basically, in my Nginx vhost, I have the following:
ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
ssl_verify_client on;
with cloudflare.crt being the file available here: https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls
Now, when I try to visit my websites with those 2 lines, I’m getting Error 525: SSL handshake failed
On the server side, I have the following line in the logs:
[crit] 26129#26129: *1 SSL_do_handshake() failed (SSL: error:1414D17A:SSL routines:tls12_check_peer_sigalg:wrong curve) while SSL handshaking, client: 162.158.126.90, server: 0.0.0.0:443
I think something changed in the way OpenSSL verifies certificate and that breaks my configuration.
Thanks!


#2

wrong curve

would make me think something is wrong about the cipher configuration.

Have you already tried playing with http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_ecdh_curve?


#3

My configuration was:
ssl_ecdh_curve prime256v1;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK’;

Changing ssl_ecdh_curve to prime256v1:secp384r1 or auto does not resolve the issue. I found this https://github.com/cloudflare/sslconfig/blob/master/conf but the cipher line was not working. I tried to use the other lines with my current ciphers with no success.


#4

Thats a case for a support ticket then and/or @cloonan/@cscharff


#5

I emailed the support and will update the topic when they reply. I am almost certain this has to do with OpenSSL 1.1.1 since the exact same configuration used to work with previous versions. Surely I am not the only one affected.

Thanks anyway!


#6

There is a good chance it is because of the update. I’d check what has changed between these two versions and based on that try to narrow down what the reason in different behaviour is.

Additionally to contacting Cloudflare you might also want to ask in the OpenSSL mailing lists.


#7

I agree with that, but I don’t see any history on the error :slightly_frowning_face: . I do see your ticket and have added myself and some details to it.


closed #8

This topic was automatically closed after 30 days. New replies are no longer allowed.