GnuTLS & OpenSSL incompatibility in RHEL
Alexander Rumyantsev
alexander at rumyantsev.com
Tue Sep 23 01:16:35 PDT 2014
OpenSSL @RHEL supports following curves:
# openssl ecparam -list_curves
secp384r1 : NIST/SECG curve over a 384 bit prime field
secp521r1 : NIST/SECG curve over a 521 bit prime field
prime256v1: X9.62/SECG curve over a 256 bit prime field
So, adding ":-CURVE-SECP192R1:-CURVE-SECP224R1:-CURVE-SECP256R1" to DEFAULT_PRIO in gnutls.c solved the problem, but now I don’t know how to implement it correctly: wether to hardcode or to add an option like "--disable-incompatible-ec»
The main problem is that I can’t figure out wether it’s a GnuTLS bug, or OpenSSL bug, or RedHat bug in SSL/TLS handshake.
Now I’m occasionally catching "SSL read error: Success.; reconnecting. Socket connect cancelled» error, will investigate.
23 сент. 2014 г., в 10:42, Alexander Rumyantsev <alexander at rumyantsev.com> написал(а):
>
> Hi!
>
> I have ocserv running on RHEL 7 and openconnect on OS X 10.9+macports
> Recently I decided to hide ocserv behind haproxy to separate anyconnect connections from browser connections by User-Agent header.
> But i couldn’t establish connection due to following error: "SSL connection failure: curve not supported"
> I think that’s because of RHEL ships with hobbled OpenSSL (against of which haproxy was built) with very limited elliptic curves support due to RH Legal patent fears.
>
> Don’t even know how to deal with this, or even it worth of dealing.
>
> P.S. I think the mode of external ssl termination with unix socket support will be very useful in ocserv.
>
> Best regards,
> Alexander Rumyantsev
More information about the openconnect-devel
mailing list