Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Trace Function Ignores SSL/TLS Protocol Configuration #1252

Open
rdratlos opened this issue Apr 3, 2021 · 2 comments
Open

Trace Function Ignores SSL/TLS Protocol Configuration #1252

rdratlos opened this issue Apr 3, 2021 · 2 comments

Comments

@rdratlos
Copy link

rdratlos commented Apr 3, 2021

OpenSSL silently discards invalid ciphers that are provided within the configured cipher set list. The actually available SSL/TLS protocols and TLS v1.3 ciphersuites for a virtual server are important information for system administrators in case of Cherokee not accepting HTTPS connections.

Without this information it is extremely difficult to investigate on the root cause of encrypt web traffic issues in the network.

Current trace output is as follows:

  cryptor_libssl.c:0764 (                  _vserver_new): Ignoring libssl error: error:25066067:DSO support routines:dlfcn_load:could not load the shared library    
  cryptor_libssl.c:0764 (                  _vserver_new): Ignoring libssl error: error:25070067:DSO support routines:DSO_load:could not load the shared library      
  cryptor_libssl.c:0764 (                  _vserver_new): Ignoring libssl error: error:260B6084:engine routines:dynamic_load:dso not found                           
  cryptor_libssl.c:0764 (                  _vserver_new): Ignoring libssl error: error:2606A074:engine routines:ENGINE_by_id:no such engine
  cryptor_libssl.c:0898 (                  _vserver_new): Vserver 'default'. Reading certificate file '/etc/ssl/cherokee/webcert-srv.pem'
  cryptor_libssl.c:0911 (                  _vserver_new): Vserver 'default'. Reading key file '/etc/ssl/private/webkey-srv.pem'

@skinkie
Copy link
Member

skinkie commented Apr 3, 2021

Given that TRACE brings you live information per incoming connection. What information would you like to receive about a connection only when debugging?

rdratlos pushed a commit to rdratlos/cherokee-webserver that referenced this issue Apr 3, 2021
OpenSSL silently discards invalid ciphers that are provided
within the configured cipher set list. The actually available SSL/TLS
protocols and TLS v1.3 ciphersuites for a virtual server are important
information for system administrators in case of Cherokee not accepting
HTTPS connections.
Without this information it is extremely difficult to investigate on the
root cause of encrypt web traffic issues in the network.

Trace information for each virtual server on the main SSL/TLS configuration
settings.

Fixes: cherokee#1252

Signed-off-by: Thomas Reim <[email protected]>
@rdratlos
Copy link
Author

rdratlos commented Apr 3, 2021

Fixed trace output is as follows:

  cryptor_libssl.c:1934 (   cherokee_plugin_libssl_init): Checking for pkcs11 engine ...
  cryptor_libssl.c:1937 (   cherokee_plugin_libssl_init): Ignoring libssl error: error:25066067:DSO support routines:dlfcn_load:could not load the shared library
  cryptor_libssl.c:1937 (   cherokee_plugin_libssl_init): Ignoring libssl error: error:25070067:DSO support routines:DSO_load:could not load the shared library
  cryptor_libssl.c:1937 (   cherokee_plugin_libssl_init): Ignoring libssl error: error:260B6084:engine routines:dynamic_load:dso not found
  cryptor_libssl.c:1937 (   cherokee_plugin_libssl_init): Ignoring libssl error: error:2606A074:engine routines:ENGINE_by_id:no such engine
  cryptor_libssl.c:1938 (   cherokee_plugin_libssl_init): pkcs11 engine is not installed
  cryptor_libssl.c:0535 (     trace_libssl_tls_settings): libssl security level for vserver default: 2 (SSLv3 and below not allowed)
  cryptor_libssl.c:0560 (     trace_libssl_tls_settings): Minimum supported TLS/SSL protocol version for vserver default: TLSv1.2 (auto-configured by libssl)
  cryptor_libssl.c:0582 (     trace_libssl_tls_settings): Maximum supported TLS/SSL protocol version for vserver default: auto-configured by libssl
  cryptor_libssl.c:0639 (     trace_libssl_tls_settings): TLS/SSL protocols switched off for vserver default: SSLv3
  cryptor_libssl.c:0886 (                  _vserver_new): Ciphers available for vserver default: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  cryptor_libssl.c:0898 (                  _vserver_new): Vserver 'unifi'. Reading certificate file '/etc/ssl/cherokee/webcert-srv.pem'
  cryptor_libssl.c:0911 (                  _vserver_new): Vserver 'unifi'. Reading key file '/etc/ssl/private/webkey-srv.pem'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants