TLS: "wrong curve" error during client authentication

666 views Asked by At

I have an Apache server that was recently upgraded from Debian 9 to Debian 10:

  • Apache : 2.4.25-3+deb9u13 => 2.4.52
  • Openssl: 1.1.0l-1~deb9u5 => 1.1.1n-0+deb10u1

Since this upgrade, connections from clients where client is authenticated (SSLVerifyClient require in Apache configuration) fails. Error in Apache debug logs is:

[Tue Apr 19 17:41:57.686913 2022] [ssl:error] [pid 19335] SSL Library Error: error:1414D17A:SSL routines:tls12_check_peer_sigalg:wrong curve

TLS_v1.2 was forced on server (Apache configuration: SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 +TLSv1.2 -TLSv1.3).

I made a wireshark capture and I am able to decode it. When authentication works (with Debian 9 version), messages exchanged are the following: messagesExchange

When error occurs, The last "Finished" message sent by server is replaced by a TLS Alert (Level Fatal, Description: Illegal parameter).

This happens just after the client certificate is received by server, my conclusion is that the client certificate is not accepted by server.

Client certificate was generated by our PKI from a private key and a certificate signing request created on client using these commands:

openssl ecparam -genkey -name secp256k1 -noout -out ${PRIVATE_KEY}
openssl req -new -sha256 -key ${PRIVATE_KEY} -out ${CSR} -subj "/C=FR/O=XXX/OU=YYY/CN=ZZZ"

So curve used for this client certificate is secp256k1. This curve is not supported by TLS_v1.3.

If I create a private key using prime256v1 curve instead if using secp256k1, recreate CSR and certificate using the same PKI, I am able to connect to server without errors. Commands become:

openssl ecparam -genkey -name prime256v1 -noout -out /user/private_prime256v1.key
openssl req -new -sha256 -key /user/private_prime256v1.key -out /user/prime256v1.csr -subj "/C=FR/O=XXX/OU=YYY/CN=ZZZ"

So I assume my problem is linked to usage of secp256k1 curve in client certificates (and this new versions of Apache and Openssl).

I have tons of clients with certificates created from a private key using secp256k1 curve, so changing client certificates is not an option. I am looking for an Apache / mod_ssl / openssl configuration to accept client certificates using secp256k1 certificates even on this new version. I tried:

SSLOpenSSLConfCmd Groups "secp256k1:secp384r1:secp521r1:prime256v1:sect283k1:sect283r1:sect409k1:sect409r1:sect571k1:sect571r1"

without success.

There are many other parameters I can modify using SSLOpenSSLConfCmd but I didn't find any other configurations precisely linked to client authentication or to curves used in certificates.

0

There are 0 answers