I tried to use ecc from let's encrypt but i always get error chiper mismatch from chrome or
OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure from curl
I use openssl (should i enable sslv3 support?)
I tried to use ecc from let's encrypt but i always get error chiper mismatch from chrome or
OpenSSL: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure from curl
I use openssl (should i enable sslv3 support?)
problem is with installing the certificate for luci (uhttpd)
No. SSLvX (1, 2, or 3) are not secure, which is why TLS only should utilized (TLS is the default, unless one explicitly enables SSLvX).
opkg list-installed | grep curl
opkg list-installed | grep openssl
On a side note...
problem is actually with chrome that doesn't let me open the webui for the chiper error mismatch...
openssl is compiled with all flag in menuconfig (just cause i can ahahah)
i use let's encrypt as i hate the error that cause self signed cert in internet (as i use ddns service)
So how does accessing the WebUI and the curl error message tie together? Accessing the WebUI has zero to do with curl
Please issue the following command openssl x509 -text -noout -in <name_of_webui_cert>
and post the output in a code box
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:74:9b:73:37:da:94:1e:db:8e:1f:1d:f3:69:ac:9b:5e:08
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Validity
Not Before: Jan 25 23:48:38 2018 GMT
Not After : Apr 25 23:48:38 2018 GMT
Subject: CN=www.ansuel.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:1f:fb:16:c4:2c:34:9e:fd:ff:1a:cb:23:d9:28:
03:be:74:78:ac:b7:13:a7:6e:e9:01:79:bd:0b:1b:
0d:ea:c1:13:13:cc:92:48:f5:40:71:35:90:90:58:
e9:13:2b:d1:b1:75:60:36:38:e0:e8:af:82:b8:2d:
34:de:ad:a6:40:25:4e:22:6a:3b:79:66:28:6d:70:
e3:68:41:94:cb:1c:3e:46:4b:7f:45:5c:a8:0b:5f:
a4:b2:30:06:73:24:8e
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
B4:71:C4:1B:1E:CF:1B:8E:02:E4:24:D7:AF:45:93:04:43:F8:72:CA
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:ansuel.com, DNS:rm-home.ansuel.com, DNS:ta-home.ansuel.com, DNS:www.ansuel.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
Signature Algorithm: sha256WithRSAEncryption
19:52:bb:37:a0:a4:99:a9:c5:b8:a6:3b:ee:09:1a:27:f0:95:
a8:da:a6:81:9d:40:68:67:70:94:41:67:90:38:e0:66:66:a1:
dc:99:16:72:d3:37:9a:bb:fb:74:7a:2e:eb:f5:e2:13:d1:6c:
fd:53:c8:12:8a:09:63:66:db:d6:1c:01:4b:13:f2:cf:0d:b0:
4a:d6:12:02:13:ab:ff:74:6c:85:fe:e1:f5:bf:cc:f5:5b:81:
1b:24:d1:82:c6:89:75:18:f8:cd:54:4b:ee:c0:6f:0c:74:74:
7c:8f:f1:d1:03:8c:ce:e4:35:7c:97:3f:23:94:58:41:7c:df:
a2:d6:b6:96:d7:4b:24:f5:5d:d6:4b:7b:b9:ea:11:e0:a9:36:
c4:65:92:b5:aa:19:4d:e6:29:df:bf:26:80:23:74:84:c3:20:
b2:9b:81:57:d6:a1:27:e7:0b:00:ca:22:69:ca:36:14:3b:55:
0b:33:68:3d:8a:d6:6f:68:56:99:a4:c0:51:8e:c6:54:ad:fd:
4c:f7:64:11:61:0e:82:f9:f6:70:ae:03:70:7d:04:e8:44:a7:
ff:46:35:6b:d5:8a:8a:f0:73:c0:d8:da:d3:3a:5c:c1:9f:cc:
62:02:d3:33:ae:02:90:fe:27:d2:76:b1:d4:48:a3:27:2f:29:
06:ab:4d:7a
now on the webui i have the normal cert... if you want i can place the ecc one so you can make some test
(the host is actually rm-home.ansuel.com)
Subject: CN=www.ansuel.com
X509v3 Key Usage: Digital Signature
X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication
serverAuth
or clientAuth
, not both.X509v3 Subject Alternative Name:
OID 1.3.6.1.4.1.44947.1.1.1
- Not sure exactly what this is, as the OID Repo only recognizes 1.3.6.1.4.1.44947
When you navigate to your WebUI in chrome, what is the exact chrome error being shown? Open the dev tools (CTRL + SHIFT + J) - Security tab
CIPHER_MISMATCH
error normally occurs when the browser has dropped support for a specific cipher suite due to security reasons. Please also list the Cipher being utilized on the Security page.certificate is create by acme.sh
problem could be X509v3 Key Usage: Digital Signature
and let's encrypt doesn't support wildcard (will be fully available on February 27, 2018.)
Digital Signature
is required for DHE_DSA exchange.
X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement
Key Exchange
DH_RSA
DH_DSA
DH_RSA
, except CA used a DSA key in lieu of RSADHE_RSA
digitalSignature
DHE_DSA
DHE_RS
A, except CA used a DSA key in lieu of RSAElliptic-Curve Key Exchange
ECDH_ECDSA
DH_DSA
, but with elliptic curves
ECDH_RSA
ECDH_ECDSA
, except CA used an RSA keyECDHE_ECDSA
DHE_DSS
, but with elliptic curves for both the Diffie-Hellman & signatureECDHE_RSA
ECDHE_ECDSA
, except Server public key is an RSA key
This won't occur if the CA/ICA is installed on the device (the only reason why one doesn't get untrusted errors for commercially signed certs are those CAs are apart of the default OS install). See the Linux/BSD and Windows tabs.