Project

General

Profile

Todo #9897

Warn user when using incompatible ECDSA cert curves for WebGUI

Added by Viktor Gurov 4 months ago. Updated 4 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Web Interface
Target version:
Start date:
11/14/2019
Due date:
% Done:

100%

Estimated time:

Description

if you create ECDSA server cert ( https://redmine.pfsense.org/issues/9843 ) and set it to WebGUI HTTPS,
you got such error in browser:

SSL_ERROR_NO_CYPHER_OVERLAP

in system.log:
nginx: 2019/11/14 14:25:44 [error] 94513#100423: accept4() failed (53: Software caused connection abort)

pfSense 2.5.0.a.20191113.1759

Associated revisions

Revision cffcf9bf (diff)
Added by Jim Pingle 4 months ago

GUI improvements for ECDSA certificate handling

  • Make central functions to check and test ECDSA compatibility. Issue #9843
  • Filter incompatible certificates from being offered for the GUI or Captive Portal. Implements #9897
  • Do the same for IPsec, which implements #4991
  • Add a check for key type when generating ipsec.secrets to allow ECDSA certs to work in IPsec for issue #4991

Note that as of this moment, the following curves are known to be compatible:
HTTPS (GUI, Captive Portal): prime256v1, secp384r1
IPsec: prime256v1, secp384r1, secp521r1

Results may vary in other areas which are not yet well-tested, and in packages.

History

#1 Updated by Jim Pingle 4 months ago

  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

It works fine with the right curve. Only prime256v1 and secp384r1 will work from our list with TLS v1.3. See c3cda38e0a091bca767a68889a390e00c129c73e

Though we probably need some way to warn the user about that.

#2 Updated by Jim Pingle 4 months ago

  • Tracker changed from Bug to Todo
  • Subject changed from can't use ECDSA certs for WebGUI to Warn user when using incompatible ECDSA cert curves for WebGUI
  • Affected Version deleted (2.5.0)

#4 Updated by Jim Pingle 4 months ago

  • Status changed from New to In Progress

#5 Updated by Jim Pingle 4 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100

#6 Updated by Viktor Gurov 4 months ago

Make central functions to check and test ECDSA compatibility. Issue #9843
Filter incompatible certificates from being offered for the GUI or Captive Portal. Implements #9897 - tested WebGUI and Captive, OK
Do the same for IPsec, which implements #4991 - tested, OK
Add a check for key type when generating ipsec.secrets to allow ECDSA certs to work in IPsec for issue #4991 - OK

Firefox/Opera/Safari also support secp521r1, but not IE/Edge/Chrome. see https://www.ssllabs.com/ssltest/clients.html

#7 Updated by Jim Pingle 4 months ago

  • Status changed from Feedback to Resolved

I didn't put secp521r1 on the HTTP list for that reason. If it isn't widely compatible, it's best not to recommend it. We can always add it later if those browsers change their minds. The fact that Chrome had it and then dropped it makes it more confusing, so I'd rather err on the side of not having people pick it thinking it will work.

Also available in: Atom PDF