Discussion:
sslserver
(too old to reply)
Johanne Fairchild
2024-03-24 13:13:21 UTC
Permalink
I'm running a brand new FreeBSD 13.2-RELEASE-p10. I installed the
pkg-package ucspi-ssl-0.99b_1. I never used it, so I don't know what to
expect. Can you explain what I should do about this error?

%sslserver 0 1031 cat
sslserver: fatal: unable to set DH parameters

Instead of 0 (as in bind all interfaces) I also tried an IP address, a
hostname such as ``localhost'' et cetera. Unable to set DH parameters
sounds like cryptography bureaucracy. The DH might stand for
diffie-hellman. Perhaps the software doesn't know how to locate some
configuration it needs? The website of the program is at

https://www.fehcom.de/ipnet/ucspi-ssl.html

but it doesn't seem to have documentation for a newcomer.
vallor
2024-03-25 21:49:17 UTC
Permalink
On Sun, 24 Mar 2024 10:13:21 -0300, Johanne Fairchild
Post by Johanne Fairchild
I'm running a brand new FreeBSD 13.2-RELEASE-p10. I installed the
pkg-package ucspi-ssl-0.99b_1. I never used it, so I don't know what to
expect. Can you explain what I should do about this error?
%sslserver 0 1031 cat
sslserver: fatal: unable to set DH parameters
Instead of 0 (as in bind all interfaces) I also tried an IP address, a
hostname such as ``localhost'' et cetera. Unable to set DH parameters
sounds like cryptography bureaucracy. The DH might stand for
diffie-hellman. Perhaps the software doesn't know how to locate some
configuration it needs? The website of the program is at
https://www.fehcom.de/ipnet/ucspi-ssl.html
but it doesn't seem to have documentation for a newcomer.
A quick look around shows it's a hard-to-find tool.

Looks like step 8 in this document, which might help:

https://github.com/meixler/installing-configuring-and-running-ucspi-ssl-sslserver

(It's not in any of the Linux repositories I use.)

Hope that helps.
--
-v
Lawrence D'Oliveiro
2024-03-26 00:23:51 UTC
Permalink
Post by vallor
https://github.com/meixler/installing-configuring-and-running-ucspi-ssl-sslserver
The details there mention the use of Let’s Encrypt for generating the
cert. That’s fine for a public-access server, not so good if you just
want to experiment privately.

For private use, you want to create your own internal CA cert, and use
that to sign your own internal certs. Luckily, the OpenSSL 3.x tools
make this fairly easy to do. I have instructions here
<https://gitlab.com/ldo/ssl_try_python/>.
Johanne Fairchild
2024-03-27 21:48:17 UTC
Permalink
Post by vallor
On Sun, 24 Mar 2024 10:13:21 -0300, Johanne Fairchild
Post by Johanne Fairchild
I'm running a brand new FreeBSD 13.2-RELEASE-p10. I installed the
pkg-package ucspi-ssl-0.99b_1. I never used it, so I don't know what to
expect. Can you explain what I should do about this error?
%sslserver 0 1031 cat
sslserver: fatal: unable to set DH parameters
Instead of 0 (as in bind all interfaces) I also tried an IP address, a
hostname such as ``localhost'' et cetera. Unable to set DH parameters
sounds like cryptography bureaucracy. The DH might stand for
diffie-hellman. Perhaps the software doesn't know how to locate some
configuration it needs? The website of the program is at
https://www.fehcom.de/ipnet/ucspi-ssl.html
but it doesn't seem to have documentation for a newcomer.
A quick look around shows it's a hard-to-find tool.
Indeed. I wonder why. Such a useful tool.
Post by vallor
https://github.com/meixler/installing-configuring-and-running-ucspi-ssl-sslserver
This is wonderful.

--8<---------------cut here---------------start------------->8---
It took me a fair amount of time (and Googling, and trial-and-error,
and even some help from Erwin Hoffman) to get ucspi-ssl sslserver up
and running, as there are a number of nuances in the process. So, I
thought I would document the steps that worked for me to get ucspi-ssl
sslserver up and running to have as a reference for myself, as well as
for others that may find this useful.
--8<---------------cut here---------------end--------------->8---

I'm still missing at least one step. I followed the guide above, but
sslserver still misses a key.

# CERTFILE="/etc/ssl/cert.pem" DHFILE="/etc/ssl/dh2048.pem" \
sslserver -sH1 0.0.0.0 1234 cat
1234
sslserver: fatal: unable to load key

The documentation mentions the KEYFILE environment variable, so I
thought that could be it. I said

# CERTFILE="/etc/ssl/nntp-cert.pem" \
DHFILE="/etc/ssl/dh2048.pem" \
KEYFILE=/etc/ssl/nntp-key.pem sslserver -sH1 0.0.0.0 1234 cat
1234
sslserver: fatal: unable to load key

Same thing. Looking at the source code, the failure happens here in
main():

if (certchainfile) {
switch (ssl_chainfile(ctx,certchainfile,keyfile,passwd_cb)) {
case -1: strerr_die2x(111,FATAL,"unable to load certificate chain file");
case -2: strerr_die2x(111,FATAL,"unable to load key");
case -3: strerr_die2x(111,FATAL,"key does not match certificate");
default: break;
}
}

Looking at ssl_chainfile(), we find:

int ssl_chainfile(SSL_CTX *ctx,const char *certchainfile,const char *keyfile,pem_password_cb *passwd_cb)
{
if (!certchainfile) return 0;
if (!keyfile) return 0;

if (SSL_CTX_use_certificate_chain_file(ctx,certchainfile) <= 0)
return -1;

SSL_CTX_set_default_passwd_cb(ctx,passwd_cb);
if (SSL_CTX_use_RSAPrivateKey_file(ctx,keyfile,SSL_FILETYPE_PEM) != 1)
return -2;

if (SSL_CTX_check_private_key(ctx) != 1)
return -3;

return 0;
}

So it must be

SSL_CTX_use_RSAPrivateKey_file(ctx,keyfile,SSL_FILETYPE_PEM)

that's not returning 1. This is an OpenSSL procedure. The
documentation says

SSL_CTX_use_RSAPrivateKey_file() adds the first private RSA key found
in file to ctx.

Perhaps there's something wrong with my private key or something wrong
with the file. I'm running the program as root and I did put the
permissions to the private key as 0600. (Tried more open permissions
too.) It's not clear what the problem with key is. Could I be using
the wrong environment variable? Doesn't look like: main() says:

if ((x = env_get("KEYFILE"))) keyfile = x;
if (keyfile && str_equal(keyfile,"")) keyfile = 0;

Who created my private key? That was certbot (from Let's Encrypt).
Here's my private key.

-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgbmsZApHJl4/qtrey
gGU0SG4tAVR06Dn48Rjw4G6S65ShRANCAAQf/s6+hjKAh7L4TM27HGEK8+Jw16Kc
vJ+Yw3QGHvHxmJRwyjchdUvunRM048k68UNehuLGyoSqk5tCcxh50lnQ
-----END PRIVATE KEY-----

Could it be that it's too small? No idea.
Post by vallor
(It's not in any of the Linux repositories I use.)
Puzzling.
Post by vallor
Hope that helps.
Helped immensely. Thank you!
Scott Lurndal
2024-03-27 21:59:29 UTC
Permalink
Post by Johanne Fairchild
# CERTFILE="/etc/ssl/cert.pem" DHFILE="/etc/ssl/dh2048.pem" \
sslserver -sH1 0.0.0.0 1234 cat
1234
sslserver: fatal: unable to load key
Run it under 'strace', find where it displays the error
message and look just before it to see what open system
call failed and look at the path argument to see what file
it is attempting to open.

$ CERTFILE=... DHFILE=... strace -o /tmp/strace.tr -f sslserver -sH1 0.0.0.0 1234 cat

$ man strace
Richard Kettlewell
2024-03-28 08:40:54 UTC
Permalink
Post by Johanne Fairchild
SSL_CTX_use_RSAPrivateKey_file() adds the first private RSA key found
in file to ctx.
As it says, it’s looking for an RSA private key.
Post by Johanne Fairchild
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgbmsZApHJl4/qtrey
gGU0SG4tAVR06Dn48Rjw4G6S65ShRANCAAQf/s6+hjKAh7L4TM27HGEK8+Jw16Kc
vJ+Yw3QGHvHxmJRwyjchdUvunRM048k68UNehuLGyoSqk5tCcxh50lnQ
-----END PRIVATE KEY-----
That is an ECDSA private key.
--
https://www.greenend.org.uk/rjk/
vallor
2024-03-29 04:53:15 UTC
Permalink
On Wed, 27 Mar 2024 18:48:17 -0300, Johanne Fairchild
Post by Johanne Fairchild
Post by vallor
On Sun, 24 Mar 2024 10:13:21 -0300, Johanne Fairchild
Post by Johanne Fairchild
I'm running a brand new FreeBSD 13.2-RELEASE-p10. I installed the
pkg-package ucspi-ssl-0.99b_1. I never used it, so I don't know what
to expect. Can you explain what I should do about this error?
%sslserver 0 1031 cat sslserver: fatal: unable to set DH parameters
Instead of 0 (as in bind all interfaces) I also tried an IP address, a
hostname such as ``localhost'' et cetera. Unable to set DH parameters
sounds like cryptography bureaucracy. The DH might stand for
diffie-hellman. Perhaps the software doesn't know how to locate some
configuration it needs? The website of the program is at
https://www.fehcom.de/ipnet/ucspi-ssl.html
but it doesn't seem to have documentation for a newcomer.
A quick look around shows it's a hard-to-find tool.
Indeed. I wonder why. Such a useful tool.
Post by vallor
https://github.com/meixler/installing-configuring-and-running-ucspi-
ssl-sslserver
Post by Johanne Fairchild
This is wonderful.
--8<---------------cut here---------------start------------->8---
It took me a fair amount of time (and Googling, and trial-and-error,
and even some help from Erwin Hoffman) to get ucspi-ssl sslserver up
and running, as there are a number of nuances in the process. So, I
thought I would document the steps that worked for me to get ucspi-ssl
sslserver up and running to have as a reference for myself, as well as
for others that may find this useful.
--8<---------------cut here---------------end--------------->8---
I'm still missing at least one step. I followed the guide above, but
sslserver still misses a key.
# CERTFILE="/etc/ssl/cert.pem" DHFILE="/etc/ssl/dh2048.pem" \
sslserver -sH1 0.0.0.0 1234 cat
1234 sslserver: fatal: unable to load key
The documentation mentions the KEYFILE environment variable, so I
thought that could be it. I said
# CERTFILE="/etc/ssl/nntp-cert.pem" \
DHFILE="/etc/ssl/dh2048.pem" \
KEYFILE=/etc/ssl/nntp-key.pem sslserver -sH1 0.0.0.0 1234 cat
1234 sslserver: fatal: unable to load key
Same thing. Looking at the source code, the failure happens here in
if (certchainfile) {
switch (ssl_chainfile(ctx,certchainfile,keyfile,passwd_cb)) {
case -1: strerr_die2x(111,FATAL,"unable to load certificate chain file");
case -2: strerr_die2x(111,FATAL,"unable to load key");
case -3: strerr_die2x(111,FATAL,"key does not match
certificate"); default: break;
}
}
int ssl_chainfile(SSL_CTX *ctx,const char *certchainfile,const char
*keyfile,pem_password_cb *passwd_cb)
{
if (!certchainfile) return 0;
if (!keyfile) return 0;
if (SSL_CTX_use_certificate_chain_file(ctx,certchainfile) <= 0)
return -1;
SSL_CTX_set_default_passwd_cb(ctx,passwd_cb);
if (SSL_CTX_use_RSAPrivateKey_file(ctx,keyfile,SSL_FILETYPE_PEM) != 1)
return -2;
if (SSL_CTX_check_private_key(ctx) != 1)
return -3;
return 0;
}
So it must be
SSL_CTX_use_RSAPrivateKey_file(ctx,keyfile,SSL_FILETYPE_PEM)
that's not returning 1. This is an OpenSSL procedure. The
documentation says
SSL_CTX_use_RSAPrivateKey_file() adds the first private RSA key found
in file to ctx.
Perhaps there's something wrong with my private key or something wrong
with the file. I'm running the program as root and I did put the
permissions to the private key as 0600. (Tried more open permissions
too.) It's not clear what the problem with key is. Could I be using
if ((x = env_get("KEYFILE"))) keyfile = x;
if (keyfile && str_equal(keyfile,"")) keyfile = 0;
Who created my private key? That was certbot (from Let's Encrypt).
Here's my private key.
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgbmsZApHJl4/qtrey
gGU0SG4tAVR06Dn48Rjw4G6S65ShRANCAAQf/s6+hjKAh7L4TM27HGEK8+Jw16Kc
vJ+Yw3QGHvHxmJRwyjchdUvunRM048k68UNehuLGyoSqk5tCcxh50lnQ -----END
PRIVATE KEY-----
Could it be that it's too small? No idea.
Post by vallor
(It's not in any of the Linux repositories I use.)
Puzzling.
Post by vallor
Hope that helps.
Helped immensely. Thank you!
Hello,

The howto I linked to has two "step 8"'s. Hmm.
Anyway, in the second "step 8", it has you copy the cert
from the LetsEncrypt /etc directory.

I haven't tried it, but I think your error would be consistent
with missing the chain certificate. If memory serves, the site cert
and the chain cert are both in the file "fullchain.pem". Perhaps
try copying that one instead.

(Personally, I'd point the key- and cert-file environment variables
at the links in the LetsEncrypt /etc directory, so that 3 months from
now, all you have to do is run "certbot renew" to get the new cert
installed. At that time, you'll probably have to restart sslserver
to pick up the new files.)
--
-v
vallor
2024-03-29 05:35:07 UTC
Permalink
Post by vallor
Hello,
The howto I linked to has two "step 8"'s. Hmm.
Anyway, in the second "step 8", it has you copy the cert from the
LetsEncrypt /etc directory.
I haven't tried it, but I think your error would be consistent with
missing the chain certificate. If memory serves, the site cert and the
chain cert are both in the file "fullchain.pem". Perhaps try copying
that one instead.
(Personally, I'd point the key- and cert-file environment variables at
the links in the LetsEncrypt /etc directory, so that 3 months from now,
all you have to do is run "certbot renew" to get the new cert installed.
At that time, you'll probably have to restart sslserver to pick up the
new files.)
Sketchy though it is, I went through the gyrations to build this hairy
monster. Saw this in the man page for sslserver:

$CERTCHAINFILE=path
If set, overrides the compiled-in certificate
chainfile name. The server presents this list of
certificats to clients. Note: Providing
$CERTCHAINFILE has precedence over $CERTFILE.
Certificates in this file needs to be 'ordered'
starting from the uppermost root certificates and
placing your host's certificate at the end.

So looks like you use that with the full chain file.
--
-v
Loading...