Re: osf-contact Striking out everywhere

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: osf-contact Striking out everywhere

Viktor Dukhovni
On Mon, Jun 03, 2019 at 04:41:47PM +0100, Matt Caswell wrote:

> On 03/06/2019 15:16, Erik Madsen wrote:
>
> > Thanks for the reply! Is there any link for avail variables for openssl.conf?
>
> See:
>
> https://www.openssl.org/docs/man1.1.1/man5/config.html
>
> >
> > [ssl_section]
> > KeyForm = ENG
> >
> > no success...but at this point, honestly just scrambling.

KeyForm is not a defined parameter for the SSL module.  The
supported parameters are listed in:

    https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: osf-contact Striking out everywhere

Erik Madsen
Is there any possibility of setting second argument here from config?

SSL_CTX_set_client_cert_engine (SSL_CTX * ctx, ENGINE * )

I think at this point it's a Node issue not allowing for an engine to be used for the key...I know GOST works, but pretty sure that allows for a PrivateKey to be set.

I am almost 100% that node is getting the cert, but failing to get the key from the engine, so it's throwing the error "no client cert method" and according to strace, my engine is loading, but this call in Node crypto is setting engine fine, but in the TLS connection, there is no PEM formatted key.

One would think if cURL and s_client can work, NodeJs should also...

It will probably end up being something silly :O

Thanks,

Erik

From: Viktor Dukhovni
Sent: Mon Jun 03 09:40:15 PDT 2019
To: [hidden email]
Subject: Re: osf-contact Striking out everywhere

On Mon, Jun 03, 2019 at 04:41:47PM +0100, Matt Caswell wrote:

On 03/06/2019 15:16, Erik Madsen wrote:

Thanks for the reply! Is there any link for avail variables for openssl.conf?

See:

https://www.openssl.org/docs/man1.1.1/man5/config.html


[ssl_section]
KeyForm = ENG

no success...but at this point, honestly just scrambling.

KeyForm is not a defined parameter for the SSL module. The
supported parameters are listed in:

https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
Reply | Threaded
Open this post in threaded view
|

Re: osf-contact Striking out everywhere

Erik Madsen



any thoughts here?

On 6/3/19 10:03 AM, Erik Madsen wrote:
Is there any possibility of setting second argument here from config?

SSL_CTX_set_client_cert_engine (SSL_CTX * ctx, ENGINE * )

I think at this point it's a Node issue not allowing for an engine to be used for the key...I know GOST works, but pretty sure that allows for a PrivateKey to be set.

I am almost 100% that node is getting the cert, but failing to get the key from the engine, so it's throwing the error "no client cert method" and according to strace, my engine is loading, but this call in Node crypto is setting engine fine, but in the TLS connection, there is no PEM formatted key.

One would think if cURL and s_client can work, NodeJs should also...

It will probably end up being something silly :O

Thanks,

Erik

From: Viktor Dukhovni
Sent: Mon Jun 03 09:40:15 PDT 2019
To: [hidden email]
Subject: Re: osf-contact Striking out everywhere

On Mon, Jun 03, 2019 at 04:41:47PM +0100, Matt Caswell wrote:

On 03/06/2019 15:16, Erik Madsen wrote:
Thanks for the reply! Is there any link for avail variables for openssl.conf?
See: https://www.openssl.org/docs/man1.1.1/man5/config.html
[ssl_section] KeyForm = ENG no success...but at this point, honestly just scrambling.
KeyForm is not a defined parameter for the SSL module. The supported parameters are listed in: https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html
Reply | Threaded
Open this post in threaded view
|

Re: osf-contact Striking out everywhere

Viktor Dukhovni
On Mon, Jun 03, 2019 at 12:54:46PM -0700, Erik Madsen wrote:

> any thoughts here?

You're posting images instead of text, and to the wrong list.
The issue seems to be in node.

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: osf-contact Striking out everywhere

Erik Madsen
Sorry about that....Im new to this format

It was a snip of this:

if (typeof options.clientCertEngine === 'string') {
      if (c.context.setClientCertEngine)
        c.context.setClientCertEngine(options.clientCertEngine);

options.clientCertEngine is just the path of the SO file

and it is calling openssl function:

SSL_CTX_set_client_cert_engine (SSL_CTX *ctx, ENGINE *e)

am I wrong that there should be a second argument passed from Node to
Openssl?

Really appreciate all your support


On 6/3/19 12:58 PM, Viktor Dukhovni wrote:

> On Mon, Jun 03, 2019 at 12:54:46PM -0700, Erik Madsen wrote:
>
>> any thoughts here?
> You're posting images instead of text, and to the wrong list.
> The issue seems to be in node.
>
Reply | Threaded
Open this post in threaded view
|

Re: osf-contact Striking out everywhere

Viktor Dukhovni
On Mon, Jun 03, 2019 at 02:52:42PM -0700, Erik Madsen wrote:

> if (typeof options.clientCertEngine === 'string') {
>   if (c.context.setClientCertEngine)
>     c.context.setClientCertEngine(options.clientCertEngine);
>
> options.clientCertEngine is just the path of the SO file
>
> and it is calling openssl function:
>
> SSL_CTX_set_client_cert_engine (SSL_CTX *ctx, ENGINE *e)
>
> am I wrong that there should be a second argument passed from Node to
> Openssl?

This question is best asked and answered on the node list (but it
may be worth mentioning that in an object-oriented language, the
'self' argument of object methods is generally implicit).

--
        Viktor.
Reply | Threaded
Open this post in threaded view
|

Re: osf-contact Striking out everywhere

Erik Madsen
Thanks for the clarification.

If resolution found, would you want me to report that here?

I'm off to the Node Team.

Thanks,

Erik

From: Viktor Dukhovni
Sent: Mon Jun 03 15:25:35 PDT 2019
To: [hidden email]
Subject: Re: osf-contact Striking out everywhere

On Mon, Jun 03, 2019 at 02:52:42PM -0700, Erik Madsen wrote:

if (typeof options.clientCertEngine === 'string') {
if (c.context.setClientCertEngine)
c.context.setClientCertEngine(options.clientCertEngine);

options.clientCertEngine is just the path of the SO file

and it is calling openssl function:

SSL_CTX_set_client_cert_engine (SSL_CTX *ctx, ENGINE *e)

am I wrong that there should be a second argument passed from Node to
Openssl?

This question is best asked and answered on the node list (but it
may be worth mentioning that in an object-oriented language, the
'self' argument of object methods is generally implicit).