Todo #9897
closed
Warn user when using incompatible ECDSA cert curves for WebGUI
100%
Description
if you create ECDSA server cert ( https://redmine.pfsense.org/issues/9843 ) and set it to WebGUI HTTPS,
you got such error in browser:
SSL_ERROR_NO_CYPHER_OVERLAP
in system.log:
nginx: 2019/11/14 14:25:44 [error] 94513#100423: accept4() failed (53: Software caused connection abort)
pfSense 2.5.0.a.20191113.1759
Updated by Jim Pingle about 5 years ago
- Assignee set to Jim Pingle
- Target version set to 2.5.0
It works fine with the right curve. Only prime256v1 and secp384r1 will work from our list with TLS v1.3. See c3cda38e0a091bca767a68889a390e00c129c73e
Though we probably need some way to warn the user about that.
Updated by Jim Pingle about 5 years ago
- Tracker changed from Bug to Todo
- Subject changed from can't use ECDSA certs for WebGUI to Warn user when using incompatible ECDSA cert curves for WebGUI
- Affected Version deleted (
2.5.0)
Corrected title.
More discussion: https://forum.netgate.com/topic/148128/ecdsa-curve-certificates-on-2-5-0
Updated by Viktor Gurov about 5 years ago
Updated by Jim Pingle about 5 years ago
- Status changed from In Progress to Feedback
- % Done changed from 0 to 100
Applied in changeset cffcf9bfaa1a054917d3427cbc7885b97db8902c.
Updated by Viktor Gurov about 5 years ago
Make central functions to check and test ECDSA compatibility. Issue #9843
Filter incompatible certificates from being offered for the GUI or Captive Portal. Implements #9897 - tested WebGUI and Captive, OK
Do the same for IPsec, which implements #4991 - tested, OK
Add a check for key type when generating ipsec.secrets to allow ECDSA certs to work in IPsec for issue #4991 - OK
Firefox/Opera/Safari also support secp521r1, but not IE/Edge/Chrome. see https://www.ssllabs.com/ssltest/clients.html
Updated by Jim Pingle about 5 years ago
- Status changed from Feedback to Resolved
I didn't put secp521r1 on the HTTP list for that reason. If it isn't widely compatible, it's best not to recommend it. We can always add it later if those browsers change their minds. The fact that Chrome had it and then dropped it makes it more confusing, so I'd rather err on the side of not having people pick it thinking it will work.