Project

General

Profile

Actions

Todo #9897

closed

Warn user when using incompatible ECDSA cert curves for WebGUI

Added by Viktor Gurov over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Web Interface
Target version:
Start date:
11/14/2019
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:

Description

if you create ECDSA server cert ( https://redmine.pfsense.org/issues/9843 ) and set it to WebGUI HTTPS,
you got such error in browser:

SSL_ERROR_NO_CYPHER_OVERLAP

in system.log:
nginx: 2019/11/14 14:25:44 [error] 94513#100423: accept4() failed (53: Software caused connection abort)

pfSense 2.5.0.a.20191113.1759

Actions #1

Updated by Jim Pingle over 4 years ago

  • Assignee set to Jim Pingle
  • Target version set to 2.5.0

It works fine with the right curve. Only prime256v1 and secp384r1 will work from our list with TLS v1.3. See c3cda38e0a091bca767a68889a390e00c129c73e

Though we probably need some way to warn the user about that.

Actions #2

Updated by Jim Pingle over 4 years ago

  • Tracker changed from Bug to Todo
  • Subject changed from can't use ECDSA certs for WebGUI to Warn user when using incompatible ECDSA cert curves for WebGUI
  • Affected Version deleted (2.5.0)
Actions #4

Updated by Jim Pingle over 4 years ago

  • Status changed from New to In Progress
Actions #5

Updated by Jim Pingle over 4 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100
Actions #6

Updated by Viktor Gurov over 4 years ago

Make central functions to check and test ECDSA compatibility. Issue #9843
Filter incompatible certificates from being offered for the GUI or Captive Portal. Implements #9897 - tested WebGUI and Captive, OK
Do the same for IPsec, which implements #4991 - tested, OK
Add a check for key type when generating ipsec.secrets to allow ECDSA certs to work in IPsec for issue #4991 - OK

Firefox/Opera/Safari also support secp521r1, but not IE/Edge/Chrome. see https://www.ssllabs.com/ssltest/clients.html

Actions #7

Updated by Jim Pingle over 4 years ago

  • Status changed from Feedback to Resolved

I didn't put secp521r1 on the HTTP list for that reason. If it isn't widely compatible, it's best not to recommend it. We can always add it later if those browsers change their minds. The fact that Chrome had it and then dropped it makes it more confusing, so I'd rather err on the side of not having people pick it thinking it will work.

Actions

Also available in: Atom PDF