Re: [TLS] weird ECDSA interop problem with cloudflare/nginx

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 26 July 2016 10:09 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78F0E12D4FB for <tls@ietfa.amsl.com>; Tue, 26 Jul 2016 03:09:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.187
X-Spam-Level:
X-Spam-Status: No, score=-3.187 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MzFvJkDeMLh2 for <tls@ietfa.amsl.com>; Tue, 26 Jul 2016 03:09:12 -0700 (PDT)
Received: from welho-filter1.welho.com (welho-filter1.welho.com [83.102.41.23]) by ietfa.amsl.com (Postfix) with ESMTP id 59B2312D1C0 for <tls@ietf.org>; Tue, 26 Jul 2016 03:09:11 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by welho-filter1.welho.com (Postfix) with ESMTP id DBCC77B47; Tue, 26 Jul 2016 13:09:10 +0300 (EEST)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter1.welho.com [::ffff:83.102.41.23]) (amavisd-new, port 10024) with ESMTP id PclPAoBabCrG; Tue, 26 Jul 2016 13:09:09 +0300 (EEST)
Received: from LK-Perkele-V2 (87-100-177-32.bb.dnainternet.fi [87.100.177.32]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id B1D67C4; Tue, 26 Jul 2016 13:09:09 +0300 (EEST)
Date: Tue, 26 Jul 2016 13:09:04 +0300
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: Martin Rex <mrex@sap.com>
Message-ID: <20160726100904.GA24234@LK-Perkele-V2.elisa-laajakaista.fi>
References: <05880081-C790-4D4C-9FF0-BA29F47C010A@dukhovni.org> <20160726095225.7E1001A508@ld9781.wdf.sap.corp>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <20160726095225.7E1001A508@ld9781.wdf.sap.corp>
User-Agent: Mutt/1.6.0 (2016-04-01)
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/obrh7MTRcSkH-aMyx8gpPdepuaw>
Cc: tls@ietf.org
Subject: Re: [TLS] weird ECDSA interop problem with cloudflare/nginx
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Jul 2016 10:09:14 -0000

On Tue, Jul 26, 2016 at 11:52:25AM +0200, Martin Rex wrote:
> 
> Sorry for the confusion about the cipher suite.
> 
> The issue seems a little weirder than what I thought, because the
> failure seems to happen only for a particular cipher suite combo
> (which happens to be the combo produced by my own Firefox config):
> 
> I can repro the handshake failure with openssl-1.1.0-pre5 with this
> command line:
> 
> Failure:
> openssl s_client -connect regmedia.co.uk:443 -cipher ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305

If you swap the order of these two ciphersuites, does it suceed or fail?

I.e.

openssl s_client -connect regmedia.co.uk:443 -cipher ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256


Well, your test results certainly blow basic "negotiation accidentially
blows off all valid candidates and then fails" hypothesis out of the
water. So it has to be soemthing more complicated.

Succeeding with the ciphersuites swapped would suggest (as somebody
else in this thread already said) that it only considers Chacha in
the first place, not noticing that it may be the only choice after
certificate selection.


-Ilari