Project

General

Profile

Bug #27665

Add ability to accept ECC keys for Nginx

Added by Eric Light over 1 year ago. Updated 5 months ago.

Status:
Done
Priority:
No priority
Assignee:
Waqar Ahmed
Category:
Middleware
Target version:
Seen in:
Severity:
Medium
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:

CPU - Intel Xeon CPU E3-1231 v3 @ 3.40GHz
RAM - 24497MB
2x Intel SSD's for Boot (RAID)
4x 4TB WD HDD's (RAID10)

ChangeLog Required:
No

Description

Hi team,

I've purchased a PositiveSSL Wildcard certificate, using Elliptic Curve crypto (prime256v1). The CSR was created like so:

openssl ecparam -out wildcard.key -name prime256v1 -genkey
openssl req -new -key wildcard.key -out wildcard.csr

The CN was *.ad.example.com.

I've installed this certificate on other Nginx servers and it's being used fine.

The certificate, along with it's key, was successfully uploaded to the WebGUI under General -> Certificates -> Import Certificate.

For now, I've imported JUST the certificate (not the intermediate or root). However the behaviour is the same regardless of the chain being in-place. It's also the same regardless of the order of the chain.

The certificate imports fine, and it is present within /etc/certificates.

However when I enable HTTP+HTTPS under General, I receive the following Alert:

"WARNING: Jan. 6, 2018, 8:54 p.m. - HTTP SSL certificate is not valid, failling back to HTTP"

I can also confirm that /usr/local/etc/nginx/nginx.conf does not refer to the certificate, the key, or port 443.

However if I modify /usr/local/etc/nginx/nginx.conf, and manually add the three SSL lines, everything works fine:

    server {
        server_name  localhost;
        listen       10.20.x.y:80;

        listen 443 ssl http2;
        ssl_certificate /etc/certificates/wildcard.crt;
        ssl_certificate_key /etc/certificates/wildcard.key;

When I restart Nginx after this, I'm able to successfully browse to my server over HTTPS without any errors or browser warnings.

Happy to provide additional information for diagnosis.


Related issues

Related to FreeNAS - Feature #62655: Add support for ECDSA private keys and parsing certificate attributesReady for Testing

Associated revisions

Revision 4b15c24b (diff)
Added by Waqar Ahmed about 1 year ago

Accept ECC keys for Nginx

This commits adds the ability for the nginx to accept ec keys as well for SSL
Ticket: #27665

Revision c2c5173c (diff)
Added by Waqar Ahmed about 1 year ago

Accept ECC keys for Nginx

This commits adds the ability for the nginx to accept ec keys as well for SSL
Ticket: #27665

Revision 3b89cf2f (diff)
Added by Waqar Ahmed about 1 year ago

Accept ECC keys for Nginx

This commits adds the ability for the nginx to accept ec keys as well for SSL
Ticket: #27665

Revision bc09fbd4 (diff)
Added by Waqar Ahmed about 1 year ago

Accept ECC keys for Nginx

This commits adds the ability for the nginx to accept ec keys as well for SSL
Ticket: #27665

Revision a4184f40 (diff)
Added by Waqar Ahmed about 1 year ago

Accept ECC keys for Nginx

This commits adds the ability for the nginx to accept ec keys as well for SSL
Ticket: #27665

Revision 3a156d98 (diff)
Added by Waqar Ahmed about 1 year ago

Accept ECC keys for Nginx

This commits adds the ability for the nginx to accept ec keys as well for SSL
Ticket: #27665

Revision da129533 (diff)
Added by Waqar Ahmed about 1 year ago

Accept ECC keys for Nginx

This commits adds the ability for the nginx to accept ec keys as well for SSL
Ticket: #27665

History

#1 Updated by Dru Lavigne over 1 year ago

  • Assignee changed from Release Council to Vladimir Vinogradenko
  • Target version set to 11.2-BETA1

#2 Updated by Vladimir Vinogradenko over 1 year ago

  • Status changed from Unscreened to 15

Eric Light, please provide output of the following commands:

openssl x509 -in /etc/certificates/wildcard.crt -noout -text -dates -purpose
echo $?
openssl rsa -in /etc/certificates/wildcard.key -check -noout
echo $?
openssl rsa -in /etc/certificates/wildcard.key -text -noout

#3 Updated by Eric Light over 1 year ago

Hi Vladimir,

Sure - posted below. The openssl rsa commands failed of course, because it's an ECDH key not RSA. So I've posted your commands plus an ec one.

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

root@:~ # openssl x509 -in /etc/certificates/wildcard.crt -noout -text -dates -purpose

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            86:77:47:c4:e4:bf:b5:f0:f3:c0:78:d0:0d:b3:13:4f
    Signature Algorithm: ecdsa-with-SHA256
        Issuer: C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO ECC Domain Validation Secure Server CA
        Validity
            Not Before: Jan  6 00:00:00 2018 GMT
            Not After : Jan  5 23:59:59 2021 GMT
        Subject: OU=Domain Control Validated, OU=PositiveSSL Wildcard, CN=*.{redacted}
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub: 
                    04:9f:e6:c6:51:25:15:37:12:1c:5a:33:0a:76:4b:
                    c3:66:1f:1a:f4:d0:ef:f6:af:b7:c4:49:87:dd:53:
                    a0:cf:09:31:b0:3b:cd:d6:11:61:5a:f2:92:1b:21:
                    13:a5:1c:df:f0:de:f1:fc:c7:49:14:35:b6:de:1b:
                    c8:2c:14:12:00
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:BB:FA:08:E0:BF:54:EE:5A:FD:16:A4:35:02:09:A9:A4:C8:EC:FD:4B

            X509v3 Subject Key Identifier: 
                A5:81:C6:CC:E7:46:3A:53:17:34:F6:EA:7B:52:46:AB:08:62:46:65
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Certificate Policies: 
                Policy: 1.3.6.1.4.1.6449.1.2.2.7
                  CPS: https://secure.comodo.com/CPS
                Policy: 2.23.140.1.2.1

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl.comodoca.com/COMODOECCDomainValidationSecureServerCA.crl

            Authority Information Access: 
                CA Issuers - URI:http://crt.comodoca.com/COMODOECCDomainValidationSecureServerCA.crt
                OCSP - URI:http://ocsp.comodoca.com

            X509v3 Subject Alternative Name: 
                DNS:*.{redacted}, DNS:{redacted}
    Signature Algorithm: ecdsa-with-SHA256
         30:45:02:21:00:9e:cf:ea:09:5f:7a:7a:20:63:fa:50:5c:d8:
         fe:14:33:09:46:63:92:d4:10:69:4f:41:2f:a8:48:4d:3c:af:
         ac:02:20:2c:1b:55:fe:59:9b:ea:0a:f9:05:a7:34:be:ed:6c:
         0e:5e:dc:37:e2:aa:a3:32:97:8f:52:7a:77:9e:be:bb:2d
notBefore=Jan  6 00:00:00 2018 GMT
notAfter=Jan  5 23:59:59 2021 GMT
Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : No
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No

root@:~ # echo $?
0

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

root@:~ # openssl rsa -in /etc/certificates/wildcard.key -check -noout
34380832840:error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key:/freenas-11-releng/freenas/_BE/os/crypto/openssl/crypto/evp/p_lib.c:287:

root@:~ # echo $?
1

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

root@:~ # openssl rsa -in /etc/certificates/wildcard.key -text -noout

34380832840:error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key:/freenas-11-releng/freenas/_BE/os/crypto/openssl/crypto/evp/p_lib.c:287:

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

root@:~ # openssl ec -in /etc/certificates/wildcard.key -text -noout
read EC key
Private-Key: (256 bit)
priv:
    <snip>
pub: 
    04:9f:e6:c6:51:25:15:37:12:1c:5a:33:0a:76:4b:
    c3:66:1f:1a:f4:d0:ef:f6:af:b7:c4:49:87:dd:53:
    a0:cf:09:31:b0:3b:cd:d6:11:61:5a:f2:92:1b:21:
    13:a5:1c:df:f0:de:f1:fc:c7:49:14:35:b6:de:1b:
    c8:2c:14:12:00
ASN1 OID: prime256v1
NIST CURVE: P-256

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

There isn't an "openssl ec -check" function, so I can't send you one for that.

Hope this helps!
E

#4 Updated by Vladimir Vinogradenko over 1 year ago

  • Assignee changed from Vladimir Vinogradenko to William Grzybowski

Thank you. We need to add support for ECC keys for nginx (we assume only RSA keys now). William, do you agree to proceed?

#5 Updated by William Grzybowski over 1 year ago

  • Assignee changed from William Grzybowski to Vladimir Vinogradenko

I see no reason not to. However please give this a lower priority since its not a regression. We probably have higher priority items that need to be addressed by 11.2. In other words, only if we have enough of time.

#6 Updated by Dru Lavigne over 1 year ago

  • Status changed from 15 to Screened
  • Target version changed from 11.2-BETA1 to 11.3
  • Seen in changed from TrueNAS 11.1-U1 to 11.1

#7 Avatar?id=14398&size=24x24 Updated by Kris Moore over 1 year ago

  • Status changed from Screened to Not Started

#8 Avatar?id=13649&size=24x24 Updated by Ben Gadd over 1 year ago

  • Target version changed from 11.3 to Backlog

#9 Updated by Vladimir Vinogradenko over 1 year ago

  • Severity set to Medium

#10 Updated by William Grzybowski about 1 year ago

  • Category changed from GUI (new) to Middleware

#11 Updated by William Grzybowski about 1 year ago

  • Assignee changed from Vladimir Vinogradenko to Waqar Ahmed

#12 Updated by Waqar Ahmed about 1 year ago

  • Status changed from Not Started to In Progress

#13 Updated by William Grzybowski about 1 year ago

  • Target version changed from Backlog to 11.3
  • Needs Merging changed from Yes to No

#14 Updated by Waqar Ahmed about 1 year ago

  • Status changed from In Progress to Ready for Testing

#15 Updated by Dru Lavigne 9 months ago

  • Subject changed from FreeNAS 11.1 rejects functional SSL certificates to Add ability to accept ECC keys for Nginx
  • Needs Doc changed from Yes to No

#16 Updated by Dru Lavigne 7 months ago

  • Target version changed from 11.3 to 11.3-BETA1

#18 Updated by Waqar Ahmed 6 months ago

  • Related to Feature #62655: Add support for ECDSA private keys and parsing certificate attributes added

#19 Updated by Dru Lavigne 6 months ago

  • Status changed from Ready for Testing to Done
  • Needs QA changed from Yes to No

#20 Updated by Dru Lavigne 5 months ago

  • Target version changed from 11.3-BETA1 to 11.3-ALPHA1

Also available in: Atom PDF