Comments (8)
I have used the Dockerfile of the nginx oqs-demo here to manually setup an OQC enabled NGINX server without the use of docker.
Such approach makes it hard for us to reproduce the exact configuration settings & code version(s) you have used when building your system. Do things work OK if you generate the dil2 cert using the pre-build (oqs-curl/openssl & nginx) images?
The certificate can be successfully retrieved using the s_client of the OQC fork of OpenSSL
What do you mean by "can be successfully retrieved"? The provided s_client
command does not seem to use/reference any certificate (e.g., via the -CAfile
option)...
the error: curl: (35) error:101310B0:elliptic curve routines:pkey_oqs_digestverify:verification failed.
Why might this be the case?
The sole reason for this (in case of a plain, non-hybrid, OQS cert) would be if the OQS signature verification function were failing. But again, I can't see you specify a --cacert
(but in fact -k
which should disable all curl cert-checks).
So again, to eliminate all code version and configuration mismatches, I'd suggest you first use only the available docker images or build all code, incl. curl, from source.
from oqs-demos.
Such approach makes it hard for us to reproduce the exact configuration settings & code version(s) you have used when building your system. Do things work OK if you generate the dil2 cert using the pre-build (oqs-curl/openssl & nginx) images?
Ofcourse, here are the specs of my nginx build:
nginx version: nginx/1.18.0 built by gcc 9.3.0 (Ubuntu 9.3.0-17ubuntu1~20.04) built with OpenSSL 1.1.1i 8 Dec 2020, Open Quantum Safe xxxx-xx snapshot TLS SNI support enabled configure arguments: --pid-path=/run/nginx.pid --with-threads --with-file-aio --with-http_addition_module --with-http_auth_request_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module=dynamic --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-libatomic --with-zlib=/usr/local/lib/zlib-1.2.9 --with-openssl=/home/ibra/pqs_server_files/openssl --with-openssl-opt='zlib no-tests' --with-cc-opt=-I/home/ibra/pqs_server_files/openssl/oqs/include --with-ld-opt=-L/home/ibra/pqs_server_files/openssl/oqs/lib --with-http_sub_module --with-http_xslt_module=dynamic --with-stream=dynamic --with-stream_ssl_module --with-mail=dynamic --with-mail_ssl_module --without-http_rewrite_module
What do you mean by "can be successfully retrieved"? The provided
s_client
command does not seem to use/reference any certificate (e.g., via the-CAfile
option)...
Sorry for the confusion, what is meant by this is that the server certificate referenced in the nginx.conf file is requested using one of the supported key-exchange algorithms, here Kyber512, and so the server certificate is returned as so: (this is a snippet of the certificate returned, showing that it was signed using dilithium2 and the key exchange used was Kyber512:
from oqs-demos.
OK, this makes sense: Your self-built openssl s_client
works up to the point of seeing a self-signed cert. Now, can you please show the full curl
call and (error) return? Best with the --verbose
option?
Also, what about creating a CA (chain) to give curl (and openssl s_client) the possibility to run a regular certificate verification? In so doing, we might be discovering what's wrong with the dilithium2 cert curl
complains about.
from oqs-demos.
OK, this makes sense: Your self-built
openssl s_client
works up to the point of seeing a self-signed cert. Now, can you please show the fullcurl
call and (error) return? Best with the--verbose
option?
So i built the OQS curl image as instructed here and this seems to work and retrieves the page from my OQS-enabled server, as shown below:
And the data from --verbose
mode:
root@ubuntu-s-1vcpu-1gb-fra1-01:/home/ibra/pqs_server_files/oqs-demos/curl# docker run -it oqs-curl curl -k https://oqs-moff.info:443 --verbose --curves kyber512
from oqs-demos.
OK, great - so if you build from source, the issue disappears and everything works? That clearly indicates a configuration mismatch between the curl docker image and your local build.
Out of curiosity: If you run the openquantumsafe/curl
image (instead of your locally built curl
) with the same verbosity, can you see the difference/error?
from oqs-demos.
OK, great - so if you build from source, the issue disappears and everything works? That clearly indicates a configuration mismatch between the curl docker image and your local build.
Yes indeed, works fine now.
Out of curiosity: If you run the
openquantumsafe/curl
image (instead of your locally builtcurl
) with the same verbosity, can you see the difference/error?
How would i go about creating a CA (chain) to give curl (and openssl s_client) the possibility to run a regular certificate verification? Is there a certification authority that issues quantum-safe certificates?
from oqs-demos.
How would i go about creating a CA (chain) to give curl (and openssl s_client) the possibility to run a regular certificate verification?
Have a look here
Is there a certification authority that issues quantum-safe certificates?
Not as far as I know. But maybe something worth while setting up....
from oqs-demos.
Closing due to inactivity. Please reopen if problem persisting.
from oqs-demos.
Related Issues (20)
- TLS packet does not pass from openvpn tunnel HOT 2
- replace oqs-openssl111 HOT 10
- error when using openvpn with OQS signature HOT 23
- OpenSSH demo fails to connect HOT 17
- Create oqs-openssl3 image for hackathon HOT 1
- Cannot build chromium after installing liboqs HOT 1
- Path to a NodeJS demo HOT 1
- Check interoperability with Google Chrome HOT 4
- Create cross-platform docker images in github HOT 2
- add into edk2 openssllib HOT 1
- Hi @baentsch I tried to use curl and httpd docker oqs image but I have some problem. HOT 6
- Is it possible to add a one-click install add script for openvpn? HOT 3
- haproxy build failed on MacOS HOT 6
- unable to pull the chrome file from server HOT 1
- Cannot switch off OQS_HAVE_GETENTROPY, OQS_HAVE_EXPLICIT_BZERO HOT 3
- Fix integrations to specific commits?
- OQS Chromium(117.0.5863.0) : ERR_SSL_VERSION_OR_CIPHER_MISMATCH HOT 15
- curl --write-out time_appconnect for SSL/TLS Handshake variable is faulty HOT 4
- Failed to build oqs-nginx on Mac M1
- Failed to build httpd on Mac M1 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oqs-demos.