i'm trying create secure connection socket.io, , can't achieve now. trying check if certificates rights, tried create basic https server in nodejs.
var fs = require('fs'); var certdir = "/path/to/the/certificates/cert-test/"; require("https").createserver( { key : fs.readfilesync(certdir + 'srv.key'), cert : fs.readfilesync(certdir + 'crt.pem'), }, function(request, response){ response.writeheader(200, {"content-type": "text/plain"}); response.write("hello world!\n"); response.end(); }).listen(8082).on('clienterror', function(e){ console.log(e); }); the equivalent http works fine, it's impossible make 1 work. upgraded node version v0.12.4, npm 2.11.0, https 1.0.0 (and further enquiries, socket.io 1.3.5). server on aws , bitnami instance, ubuntu 12.04.5 lts, kernel version 3.2.0-84-virtual , openssl 1.0.1i.
i try reach server through https://node.inkive.com:8082 (both in browser , curl), never achieve proper handshake.
the server detects following errors :
- [error: 3074971392:error:1408a0c1:ssl routines:ssl3_get_client_hello:no shared cipher:../deps/openssl/openssl/ssl/s3_srvr.c:1389: ]
- [error: 3074971392:error:140a1175:ssl routines:ssl_bytes_to_cipher_list:inappropriate fallback:../deps/openssl/openssl/ssl/ssl_lib.c:1481: ]
i tried check ciphers available on server , ones available on computer, , there many matches. guys, i'm out of ideas, , appreciate help...
edit
output openssl x509 -in crt.pem -inform pem -text -noout :
certificate: data: version: 3 (0x2) serial number: af:b7:19:35:7b:0e:87:38 signature algorithm: sha256withrsaencryption issuer: c=us, st=arizona, l=scottsdale, o=godaddy.com, inc., ou=http://certs.godaddy.com/repository/, cn=go daddy secure certificate authority - g2 validity not before: jan 6 10:11:41 2015 gmt not after : jan 25 08:15:28 2016 gmt subject: ou=domain control validated, cn=inkive.com subject public key info: public key algorithm: rsaencryption public-key: (2048 bit) modulus: 00:ce:93:8c:6a:0a:54:d8:b8:02:94:0d:d4:23:98: 80:98:5e:42:fb:b2:4a:f7:62:68:82:42:32:dc:6f: 5d:02:3a:b8:34:7c:9f:1c:e6:83:94:a3:1a:1e:25: aa:58:69:4b:4d:76:8e:07:73:09:d3:6a:20:65:ad: 40:f5:a4:75:fa:51:79:af:94:1d:c3:39:c0:d4:70: e0:f0:61:e7:26:d8:78:b8:58:7e:0e:85:22:a2:83: 09:69:85:f6:3e:b1:de:80:71:07:88:d8:9f:f9:6a: 8b:d4:ad:61:bc:c2:bb:98:6c:36:71:d8:20:3f:d1: d4:d8:0e:91:d7:eb:42:3f:f3:98:97:fa:c4:cb:78: 04:c2:ef:12:ba:a5:cf:cd:05:44:ad:a1:cc:ff:04: b9:e1:74:ab:09:8a:58:1b:11:e6:f9:8f:28:c2:39: 3d:71:1e:e4:e2:e4:a4:f7:45:94:04:f2:4a:fc:62: ab:b5:9a:18:56:e8:40:4d:12:17:a7:26:07:54:db: 5b:87:99:56:9e:5c:94:28:0d:6c:29:9d:06:56:3b: 5e:c2:1f:6b:1f:6a:90:c2:97:24:77:63:32:26:f5: 25:d6:02:73:61:6b:69:20:39:a7:be:af:51:27:c5: a5:b4:a4:1f:e2:36:fc:15:25:30:fe:08:8f:0a:12: 5f:c9 exponent: 65537 (0x10001) x509v3 extensions: x509v3 basic constraints: critical ca:false x509v3 extended key usage: tls web server authentication, tls web client authentication x509v3 key usage: critical digital signature, key encipherment x509v3 crl distribution points: full name: uri:http://crl.godaddy.com/gdig2s1-87.crl x509v3 certificate policies: policy: 2.16.840.1.114413.1.7.23.1 cps: http://certificates.godaddy.com/repository/ authority information access: ocsp - uri:http://ocsp.godaddy.com/ ca issuers - uri:http://certificates.godaddy.com/repository/gdig2.crt x509v3 authority key identifier: keyid:40:c2:bd:27:8e:cc:34:83:30:a2:33:d7:fb:6c:b3:f0:b4:2c:80:ce x509v3 subject alternative name: dns:inkive.com, dns:www.inkive.com, dns:inkive.me, dns:inkive.net, dns:node.inkive.com x509v3 subject key identifier: 70:fe:a0:b4:00:2e:14:98:b8:ca:bf:c8:63:a7:23:63:7c:fa:48:82 signature algorithm: sha256withrsaencryption 70:b7:dd:2b:ed:b9:7b:4e:4d:b1:13:26:7b:5d:f4:10:1f:28: a4:b8:f5:99:4e:ee:34:56:b1:eb:06:19:d8:14:c8:28:44:fe: 63:f1:2e:58:73:c7:22:57:1a:4f:2c:00:ef:2b:f8:c6:52:09: 71:1a:68:00:35:a0:f8:df:57:c5:98:f8:43:68:ba:b5:ff:3e: e1:a5:ad:6a:85:64:dd:40:72:d1:9d:04:61:54:cc:7c:92:c4: b3:68:6a:77:32:1b:49:ea:6c:7e:28:c7:67:ce:1d:ed:29:49: d6:9c:76:4d:a3:f1:a5:f5:0a:0a:92:72:7e:0a:1a:22:43:32: 18:9f:3f:fe:62:e0:57:ee:92:9d:fb:5f:bd:4b:c9:c4:1d:ba: cb:0d:3c:b9:00:2f:79:fc:5d:cd:df:9e:d7:c9:79:3b:45:c4: 7c:ad:cb:47:6d:8e:82:cc:dd:8e:2d:86:fc:94:4b:bf:9d:8e: 37:37:90:1c:74:73:f1:93:e7:f1:c9:e3:e0:d9:5c:fb:d6:3d: 09:6b:d5:45:ab:47:d2:65:69:6c:af:81:08:35:6c:87:7f:dd: fa:26:2e:8a:bf:4e:53:c1:70:1a:0a:e1:7f:e9:18:c5:82:f1: 90:9e:6c:29:7b:b7:cc:a3:25:3f:7f:8d:f3:b5:58:25:62:56: 64:50:43:b3 output openssl s_client -connect node.inkive.com:8082 -tls1 -servername node.inkive.com:
connected(00000003) 3073997000:error:14094410:ssl routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1262:ssl alert number 40 3073997000:error:1409e0e5:ssl routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:598: --- no peer certificate available --- no client certificate ca names sent --- ssl handshake has read 7 bytes , written 0 bytes --- new, (none), cipher (none) secure renegotiation not supported compression: none expansion: none ssl-session: protocol : tlsv1 cipher : 0000 session-id: session-id-ctx: master-key: key-arg : none psk identity: none psk identity hint: none srp username: none start time: 1433377982 timeout : 7200 (sec) verify return code: 0 (ok) --- i tried openssl s_client -connect node.inkive.com:8082 -tls1_2 -servername node.inkive.com, , here answer got :
connected(00000003) 3074009288:error:14094410:ssl routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1262:ssl alert number 40 3074009288:error:1409e0e5:ssl routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:598: --- no peer certificate available --- no client certificate ca names sent --- ssl handshake has read 7 bytes , written 0 bytes --- new, (none), cipher (none) secure renegotiation not supported compression: none expansion: none ssl-session: protocol : tlsv1.2 cipher : 0000 session-id: session-id-ctx: master-key: key-arg : none psk identity: none psk identity hint: none srp username: none start time: 1433466977 timeout : 7200 (sec) verify return code: 0 (ok) --- by way, in order keep server up, runs forever package (v0.14.1).
available ciphers :
ecdhe-rsa-aes256-gcm-sha384:ecdhe-ecdsa-aes256-gcm-sha384:ecdhe-rsa-aes256-sha384:ecdhe-ecdsa-aes256-sha384:ecdhe-rsa-aes256-sha:ecdhe-ecdsa-aes256-sha:srp-dss-aes-256-cbc-sha:srp-rsa-aes-256-cbc-sha:srp-aes-256-cbc-sha:dhe-dss-aes256-gcm-sha384:dhe-rsa-aes256-gcm-sha384:dhe-rsa-aes256-sha256:dhe-dss-aes256-sha256:dhe-rsa-aes256-sha:dhe-dss-aes256-sha:dhe-rsa-camellia256-sha:dhe-dss-camellia256-sha:ecdh-rsa-aes256-gcm-sha384:ecdh-ecdsa-aes256-gcm-sha384:ecdh-rsa-aes256-sha384:ecdh-ecdsa-aes256-sha384:ecdh-rsa-aes256-sha:ecdh-ecdsa-aes256-sha:aes256-gcm-sha384:aes256-sha256:aes256-sha:camellia256-sha:psk-aes256-cbc-sha:ecdhe-rsa-aes128-gcm-sha256:ecdhe-ecdsa-aes128-gcm-sha256:ecdhe-rsa-aes128-sha256:ecdhe-ecdsa-aes128-sha256:ecdhe-rsa-aes128-sha:ecdhe-ecdsa-aes128-sha:srp-dss-aes-128-cbc-sha:srp-rsa-aes-128-cbc-sha:srp-aes-128-cbc-sha:dhe-dss-aes128-gcm-sha256:dhe-rsa-aes128-gcm-sha256:dhe-rsa-aes128-sha256:dhe-dss-aes128-sha256:dhe-rsa-aes128-sha:dhe-dss-aes128-sha:dhe-rsa-seed-sha:dhe-dss-seed-sha:dhe-rsa-camellia128-sha:dhe-dss-camellia128-sha:ecdh-rsa-aes128-gcm-sha256:ecdh-ecdsa-aes128-gcm-sha256:ecdh-rsa-aes128-sha256:ecdh-ecdsa-aes128-sha256:ecdh-rsa-aes128-sha:ecdh-ecdsa-aes128-sha:aes128-gcm-sha256:aes128-sha256:aes128-sha:seed-sha:camellia128-sha:idea-cbc-sha:psk-aes128-cbc-sha:ecdhe-rsa-rc4-sha:ecdhe-ecdsa-rc4-sha:ecdh-rsa-rc4-sha:ecdh-ecdsa-rc4-sha:rc4-sha:rc4-md5:psk-rc4-sha:ecdhe-rsa-des-cbc3-sha:ecdhe-ecdsa-des-cbc3-sha:srp-dss-3des-ede-cbc-sha:srp-rsa-3des-ede-cbc-sha:srp-3des-ede-cbc-sha:edh-rsa-des-cbc3-sha:edh-dss-des-cbc3-sha:ecdh-rsa-des-cbc3-sha:ecdh-ecdsa-des-cbc3-sha:des-cbc3-sha:psk-3des-ede-cbc-sha:edh-rsa-des-cbc-sha:edh-dss-des-cbc-sha:des-cbc-sha:exp-edh-rsa-des-cbc-sha:exp-edh-dss-des-cbc-sha:exp-des-cbc-sha:exp-rc2-cbc-md5:exp-rc4-md5 output openssl s_client -connect node.inkive.com:8082 -tls1 -cipher "ecdhe-rsa-aes256-gcm-sha384" -servername node.inkive.com
connected(00000003) 3073722568:error:140830b5:ssl routines:ssl3_client_hello:no ciphers available:s3_clnt.c:757: --- no peer certificate available --- no client certificate ca names sent --- ssl handshake has read 0 bytes , written 0 bytes --- new, (none), cipher (none) secure renegotiation not supported compression: none expansion: none ssl-session: protocol : tlsv1 cipher : 0000 session-id: session-id-ctx: master-key: key-arg : none psk identity: none psk identity hint: none srp username: none start time: 1433512430 timeout : 7200 (sec) verify return code: 0 (ok) --- by way, subsidiary question, except http becoming https request of socket.io/socket.io.js file have in order create connection, there else have change able use package on website?
thank you.
here's what's going on.
$ openssl s_client -connect node.inkive.com:8082 -tls1 -servername node.inkive.com -cipher 'high:!anull:!krsa:!psk:!srp:!md5:!rc4' -debug connected(00000003) write 0x7fbb02c23bb0 [0x7fbb0301cc03] (220 bytes => 220 (0xdc)) 0000 - 16 03 01 00 d7 01 00 00-d3 03 01 1e 9d af 6b 4b ..............kk 0010 - ea d5 6c 84 44 b0 13 c5-77 ad 3c 98 4a 50 b3 19 ..l.d...w.<.jp.. 0020 - 5c 84 d4 5e ae 58 dc 76-61 f0 9f 00 00 42 c0 14 \..^.x.va....b.. 0030 - c0 0a 00 39 00 38 00 37-00 36 00 88 00 87 00 86 ...9.8.7.6...... 0040 - 00 85 c0 0f c0 05 c0 13-c0 09 00 33 00 32 00 31 ...........3.2.1 0050 - 00 30 00 45 00 44 00 43-00 42 c0 0e c0 04 c0 12 .0.e.d.c.b...... 0060 - c0 08 00 16 00 13 00 10-00 0d c0 0d c0 03 00 ff ................ 0070 - 02 01 00 00 67 00 00 00-14 00 12 00 00 0f 6e 6f ....g.........no 0080 - 64 65 2e 69 6e 6b 69 76-65 2e 63 6f 6d 00 0b 00 de.inkive.com... 0090 - 04 03 00 01 02 00 0a 00-3a 00 38 00 0e 00 0d 00 ........:.8..... 00a0 - 19 00 1c 00 0b 00 0c 00-1b 00 18 00 09 00 0a 00 ................ 00b0 - 1a 00 16 00 17 00 08 00-06 00 07 00 14 00 15 00 ................ 00c0 - 04 00 05 00 12 00 13 00-01 00 02 00 03 00 0f 00 ................ 00d0 - 10 00 11 00 23 00 00 00-0f 00 01 01 ....#....... read 0x7fbb02c23bb0 [0x7fbb03018603] (5 bytes => 5 (0x5)) 0000 - 15 03 01 00 02 ..... read 0x7fbb02c23bb0 [0x7fbb03018608] (2 bytes => 2 (0x2)) 0000 - 02 28 .( 140735193977308:error:14094410:ssl routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1461:ssl alert number 40 140735193977308:error:1409e0e5:ssl routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:645 the read of 15 03 01 00 02 tls record. carries tls payload. 03 01 tls version. 00 02 length of payload.
the next 2 bytes payload, alert. 02 alert, , 28 alert number, 40.
alert 40 handshake failure. according rfc 5246 sent:
7.4.1.3. server hello
when message sent:
server send message in response clienthello message when able find acceptable set of algorithms. if cannot find such match, respond handshake failure alert.
i hate answer question question, protocols , cipher suites enabled @ server?
related, node.js docs create https server this:
var https = require('https'); var fs = require('fs'); var options = { key: fs.readfilesync('/path/to/the/certificates/cert-test/srv.key'), cert: fs.readfilesync('/path/to/the/certificates/cert-test/crt.pem'), }; https.createserver(options, function (req, res) { res.writehead(200); res.end("hello world\n"); }).listen(8082); you should try since official way create one. function(request, response){...}).listen(8082) looks odd me.
from edit:
available ciphers :
ecdhe-rsa-aes256-gcm-sha384:ecdhe-ecdsa-aes256-gcm-sha384:ecdhe-rsa-aes256-sha384:... ... exp-edh-dss-des-cbc-sha:exp-des-cbc-sha:exp-rc2-cbc-md5:exp-rc4-md5
use "high:!anull:!krsa:!md5:!rc4:!psk:!srp:!dss:!dsa". integer , elliptic curve diffie-hellman, , avoid obsolete cryptography warnings in browsers.
also, don't enable srp , psk unless using them. don't enable dss unless have dss/dsa key. , need anull because anonymous protocols enabled default in openssl. , don't enable export grade cipher suites (exp). , don't enable medium or low matter. modern user agents have no trouble high.
using string above, here ciphers enabling:
$ openssl ciphers -v 'high:!anull:!krsa:!md5:!rc4:!psk:!srp:!dss:!dsa' ecdhe-rsa-aes256-gcm-sha384 tlsv1.2 kx=ecdh au=rsa enc=aesgcm(256) mac=aead ecdhe-ecdsa-aes256-gcm-sha384 tlsv1.2 kx=ecdh au=ecdsa enc=aesgcm(256) mac=aead ecdhe-rsa-aes256-sha384 tlsv1.2 kx=ecdh au=rsa enc=aes(256) mac=sha384 ecdhe-ecdsa-aes256-sha384 tlsv1.2 kx=ecdh au=ecdsa enc=aes(256) mac=sha384 ecdhe-rsa-aes256-sha sslv3 kx=ecdh au=rsa enc=aes(256) mac=sha1 ecdhe-ecdsa-aes256-sha sslv3 kx=ecdh au=ecdsa enc=aes(256) mac=sha1 dh-dss-aes256-gcm-sha384 tlsv1.2 kx=dh/dss au=dh enc=aesgcm(256) mac=aead dh-rsa-aes256-gcm-sha384 tlsv1.2 kx=dh/rsa au=dh enc=aesgcm(256) mac=aead dhe-rsa-aes256-gcm-sha384 tlsv1.2 kx=dh au=rsa enc=aesgcm(256) mac=aead dhe-rsa-aes256-sha256 tlsv1.2 kx=dh au=rsa enc=aes(256) mac=sha256 dh-rsa-aes256-sha256 tlsv1.2 kx=dh/rsa au=dh enc=aes(256) mac=sha256 dh-dss-aes256-sha256 tlsv1.2 kx=dh/dss au=dh enc=aes(256) mac=sha256 dhe-rsa-aes256-sha sslv3 kx=dh au=rsa enc=aes(256) mac=sha1 dh-rsa-aes256-sha sslv3 kx=dh/rsa au=dh enc=aes(256) mac=sha1 dh-dss-aes256-sha sslv3 kx=dh/dss au=dh enc=aes(256) mac=sha1 dhe-rsa-camellia256-sha sslv3 kx=dh au=rsa enc=camellia(256) mac=sha1 dh-rsa-camellia256-sha sslv3 kx=dh/rsa au=dh enc=camellia(256) mac=sha1 dh-dss-camellia256-sha sslv3 kx=dh/dss au=dh enc=camellia(256) mac=sha1 ecdh-rsa-aes256-gcm-sha384 tlsv1.2 kx=ecdh/rsa au=ecdh enc=aesgcm(256) mac=aead ecdh-ecdsa-aes256-gcm-sha384 tlsv1.2 kx=ecdh/ecdsa au=ecdh enc=aesgcm(256) mac=aead ecdh-rsa-aes256-sha384 tlsv1.2 kx=ecdh/rsa au=ecdh enc=aes(256) mac=sha384 ecdh-ecdsa-aes256-sha384 tlsv1.2 kx=ecdh/ecdsa au=ecdh enc=aes(256) mac=sha384 ecdh-rsa-aes256-sha sslv3 kx=ecdh/rsa au=ecdh enc=aes(256) mac=sha1 ecdh-ecdsa-aes256-sha sslv3 kx=ecdh/ecdsa au=ecdh enc=aes(256) mac=sha1 ecdhe-rsa-aes128-gcm-sha256 tlsv1.2 kx=ecdh au=rsa enc=aesgcm(128) mac=aead ecdhe-ecdsa-aes128-gcm-sha256 tlsv1.2 kx=ecdh au=ecdsa enc=aesgcm(128) mac=aead ecdhe-rsa-aes128-sha256 tlsv1.2 kx=ecdh au=rsa enc=aes(128) mac=sha256 ecdhe-ecdsa-aes128-sha256 tlsv1.2 kx=ecdh au=ecdsa enc=aes(128) mac=sha256 ecdhe-rsa-aes128-sha sslv3 kx=ecdh au=rsa enc=aes(128) mac=sha1 ecdhe-ecdsa-aes128-sha sslv3 kx=ecdh au=ecdsa enc=aes(128) mac=sha1 dh-dss-aes128-gcm-sha256 tlsv1.2 kx=dh/dss au=dh enc=aesgcm(128) mac=aead dh-rsa-aes128-gcm-sha256 tlsv1.2 kx=dh/rsa au=dh enc=aesgcm(128) mac=aead dhe-rsa-aes128-gcm-sha256 tlsv1.2 kx=dh au=rsa enc=aesgcm(128) mac=aead dhe-rsa-aes128-sha256 tlsv1.2 kx=dh au=rsa enc=aes(128) mac=sha256 dh-rsa-aes128-sha256 tlsv1.2 kx=dh/rsa au=dh enc=aes(128) mac=sha256 dh-dss-aes128-sha256 tlsv1.2 kx=dh/dss au=dh enc=aes(128) mac=sha256 dhe-rsa-aes128-sha sslv3 kx=dh au=rsa enc=aes(128) mac=sha1 dh-rsa-aes128-sha sslv3 kx=dh/rsa au=dh enc=aes(128) mac=sha1 dh-dss-aes128-sha sslv3 kx=dh/dss au=dh enc=aes(128) mac=sha1 dhe-rsa-camellia128-sha sslv3 kx=dh au=rsa enc=camellia(128) mac=sha1 dh-rsa-camellia128-sha sslv3 kx=dh/rsa au=dh enc=camellia(128) mac=sha1 dh-dss-camellia128-sha sslv3 kx=dh/dss au=dh enc=camellia(128) mac=sha1 ecdh-rsa-aes128-gcm-sha256 tlsv1.2 kx=ecdh/rsa au=ecdh enc=aesgcm(128) mac=aead ecdh-ecdsa-aes128-gcm-sha256 tlsv1.2 kx=ecdh/ecdsa au=ecdh enc=aesgcm(128) mac=aead ecdh-rsa-aes128-sha256 tlsv1.2 kx=ecdh/rsa au=ecdh enc=aes(128) mac=sha256 ecdh-ecdsa-aes128-sha256 tlsv1.2 kx=ecdh/ecdsa au=ecdh enc=aes(128) mac=sha256 ecdh-rsa-aes128-sha sslv3 kx=ecdh/rsa au=ecdh enc=aes(128) mac=sha1 ecdh-ecdsa-aes128-sha sslv3 kx=ecdh/ecdsa au=ecdh enc=aes(128) mac=sha1 ecdhe-rsa-des-cbc3-sha sslv3 kx=ecdh au=rsa enc=3des(168) mac=sha1 ecdhe-ecdsa-des-cbc3-sha sslv3 kx=ecdh au=ecdsa enc=3des(168) mac=sha1 edh-rsa-des-cbc3-sha sslv3 kx=dh au=rsa enc=3des(168) mac=sha1 dh-rsa-des-cbc3-sha sslv3 kx=dh/rsa au=dh enc=3des(168) mac=sha1 dh-dss-des-cbc3-sha sslv3 kx=dh/dss au=dh enc=3des(168) mac=sha1 ecdh-rsa-des-cbc3-sha sslv3 kx=ecdh/rsa au=ecdh enc=3des(168) mac=sha1 ecdh-ecdsa-des-cbc3-sha sslv3 kx=ecdh/ecdsa au=ecdh enc=3des(168) mac=sha1 
Comments
Post a Comment