Yugabyte-db: Support EC Ciphers for TLS

Created on 26 Nov 2019  路  3Comments  路  Source: yugabyte/yugabyte-db

Seeing this error

I1124 22:12:03.319810 12033 secure_stream.cc:538] SECURE kHandshake { local: 10.142.0.2:7100 remote: 10.142.0.2:59615 }: Handshake failed: Network error (yb/rpc/secure_stream.cc:637): Handshake failed: no shared cipher, address: 10.142.0.2,

when the server cert defines an ec cipher.

aredocdb kinbug

Most helpful comment

The issue here was actually because our ca.crt needs to have multiple CAs in it in order to have a complete chain. Since we sign our certificates with an intermediate, just reading a single certificate from ca.crt will result in an incomplete chain, which openssl won't load and so the no shared cipher was erroring only because there were no ciphers at all.

I'm not a C/C++ developer at all so I'm not sure if its better to loop over the certificates in ca.crt and add them all but it seems simpler to just let openssl handle that. X509_STORE_load_locations takes either a file or a directory (if we could use directory that would be preferred but that would require adding a new gflag).

I confirmed this worked locally for us with a CA file with 3 EC CA certs in it and using a EC certificate:
https://github.com/fastest963/yugabyte-db/commit/35e699c2d919169a3b854fb0978b0ab93c0e4c85

It's a pretty small change so I'm not sure if its worth making a PR so it's probably quicker just to have @rahuldesirazu clean it up and commit it.

All 3 comments

The issue here was actually because our ca.crt needs to have multiple CAs in it in order to have a complete chain. Since we sign our certificates with an intermediate, just reading a single certificate from ca.crt will result in an incomplete chain, which openssl won't load and so the no shared cipher was erroring only because there were no ciphers at all.

I'm not a C/C++ developer at all so I'm not sure if its better to loop over the certificates in ca.crt and add them all but it seems simpler to just let openssl handle that. X509_STORE_load_locations takes either a file or a directory (if we could use directory that would be preferred but that would require adding a new gflag).

I confirmed this worked locally for us with a CA file with 3 EC CA certs in it and using a EC certificate:
https://github.com/fastest963/yugabyte-db/commit/35e699c2d919169a3b854fb0978b0ab93c0e4c85

It's a pretty small change so I'm not sure if its worth making a PR so it's probably quicker just to have @rahuldesirazu clean it up and commit it.

Oh thats awesome @fastest963! Do you mind adding yourself to the contributors list - would love to have you as one (for this and the various ways in which you have pushed/tested YugabyteDB): https://github.com/yugabyte/yugabyte-db/blob/master/CONTRIBUTORS.md

TY @fastest963 !!

Was this page helpful?
0 / 5 - 0 ratings