Using the oqs curl software to curl an OQS enabled NGINX server about oqs-demos HOT 8 CLOSED

I have used the Dockerfile of the nginx oqs-demo here to manually setup an OQC enabled NGINX server without the use of docker.

Such approach makes it hard for us to reproduce the exact configuration settings & code version(s) you have used when building your system. Do things work OK if you generate the dil2 cert using the pre-build (oqs-curl/openssl & nginx) images?

The certificate can be successfully retrieved using the s_client of the OQC fork of OpenSSL

What do you mean by "can be successfully retrieved"? The provided s_client command does not seem to use/reference any certificate (e.g., via the -CAfile option)...

the error: curl: (35) error:101310B0:elliptic curve routines:pkey_oqs_digestverify:verification failed.
Why might this be the case?

The sole reason for this (in case of a plain, non-hybrid, OQS cert) would be if the OQS signature verification function were failing. But again, I can't see you specify a --cacert (but in fact -k which should disable all curl cert-checks).

So again, to eliminate all code version and configuration mismatches, I'd suggest you first use only the available docker images or build all code, incl. curl, from source.

from oqs-demos.

Such approach makes it hard for us to reproduce the exact configuration settings & code version(s) you have used when building your system. Do things work OK if you generate the dil2 cert using the pre-build (oqs-curl/openssl & nginx) images?

Ofcourse, here are the specs of my nginx build:

nginx version: nginx/1.18.0 built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04) built with OpenSSL 1.1.1i 8 Dec 2020, Open Quantum Safe xxxx-xx snapshot TLS SNI support enabled configure arguments: --pid-path=/run/nginx.pid --with-threads --with-file-aio --with-http_addition_module --with-http_auth_request_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-libatomic --with-zlib=/usr/local/lib/zlib-1.2.9 --with-openssl=/home/ibra/pqs_server_files/openssl --with-openssl-opt='zlib no-tests' --with-cc-opt=-I/home/ibra/pqs_server_files/openssl/oqs/include --with-ld-opt=-L/home/ibra/pqs_server_files/openssl/oqs/lib --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --without-http_rewrite_module

What do you mean by "can be successfully retrieved"? The provided s_client command does not seem to use/reference any certificate (e.g., via the -CAfile option)...

Sorry for the confusion, what is meant by this is that the server certificate referenced in the nginx.conf file is requested using one of the supported key-exchange algorithms, here Kyber512, and so the server certificate is returned as so: (this is a snippet of the certificate returned, showing that it was signed using dilithium2 and the key exchange used was Kyber512:

from oqs-demos.

OK, this makes sense: Your self-built openssl s_client works up to the point of seeing a self-signed cert. Now, can you please show the full curl call and (error) return? Best with the --verbose option?

Also, what about creating a CA (chain) to give curl (and openssl s_client) the possibility to run a regular certificate verification? In so doing, we might be discovering what's wrong with the dilithium2 cert curl complains about.

from oqs-demos.

OK, this makes sense: Your self-built openssl s_client works up to the point of seeing a self-signed cert. Now, can you please show the full curl call and (error) return? Best with the --verbose option?

So i built the OQS curl image as instructed here and this seems to work and retrieves the page from my OQS-enabled server, as shown below:

And the data from --verbose mode:

root@ubuntu-s-1vcpu-1gb-fra1-01:/home/ibra/pqs_server_files/oqs-demos/curl# docker run -it oqs-curl curl -k https://oqs-moff.info:443 --verbose --curves kyber512

from oqs-demos.

OK, great - so if you build from source, the issue disappears and everything works? That clearly indicates a configuration mismatch between the curl docker image and your local build.

Out of curiosity: If you run the openquantumsafe/curl image (instead of your locally built curl) with the same verbosity, can you see the difference/error?

from oqs-demos.

OK, great - so if you build from source, the issue disappears and everything works? That clearly indicates a configuration mismatch between the curl docker image and your local build.

Yes indeed, works fine now.

Out of curiosity: If you run the openquantumsafe/curl image (instead of your locally built curl) with the same verbosity, can you see the difference/error?

This is the result:

How would i go about creating a CA (chain) to give curl (and openssl s_client) the possibility to run a regular certificate verification? Is there a certification authority that issues quantum-safe certificates?

from oqs-demos.

How would i go about creating a CA (chain) to give curl (and openssl s_client) the possibility to run a regular certificate verification?

Have a look here

Is there a certification authority that issues quantum-safe certificates?

Not as far as I know. But maybe something worth while setting up....

from oqs-demos.

Closing due to inactivity. Please reopen if problem persisting.

from oqs-demos.