Comments (9)
Could you create another key that exhibits this problem and upload it?
from rustls.
Actually, nevermind. I realise now that ssl-cert-snakeoil.* are generated by the ssl-cert
debian package. I installed that (on debian testing) and got a 2048-bit RSA key in ssl-cert-snakeoil.key
, in a PKCS8 file. Converting it with openssl gave me a key I can use with rustls.
I'm guessing you have an older debian which makes a 1024-bit key. Could you confirm that? openssl rsa -text -in /etc/ssl/private/ssl-cert-snakeoil.key | grep bit
should do the trick.
If so I agree that the error reporting when rejecting short RSA keys should be improved!
from rustls.
Private-Key: (1024 bit)
Yes, I think it should discriminate invalid and insecure keys. Maybe it should even contain the list of legacy algorithm names just to output better error messages (so DES
or whatever is not an Unknown algorithm
, but Obsolete algorithm
).
from rustls.
I have been looking into ways to improve the error-reporting here, but I'm not really sure what to do yet (I haven't looked super thoroughly, but I've at least learned some things).
My impression now is that rustls can't give more specific information in the error because the ring
library doesn't provide it. That could perhaps be rectified in the ring
library by making ring::signature::RSAKeyPair::from_der
return more information in an error.
Perhaps the best solution for now is to just add some helpful information to the error message, so that in addition to "Invalid RSA private key", we could add ": this may be because the key is using insecure algorithms or is too short".
Any thoughts @ctz?
from rustls.
I believe briansmith/ring#401 and briansmith/ring#384 will provide the foundation for us to provide some more detailed error reporting in ring.
from rustls.
I seem to have run into something similar - when generating a key/cert pair for (essentially)
https://github.com/actix/examples/tree/master/rustls
via openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -sha256 -nodes --subj '/CN=localhost/'
this will barf per
thread 'main' panicked at 'assertion failed: index < len', src/liballoc/vec.rs:993:9
tracing back to the line
config.set_single_cert(cert_chain, keys.remove(0)).unwrap();
in the application code. if I unwrap the key from its structure per
mv key.pem key-x.pem && openssl rsa -in key-x.pem -out key.pem
it works just fine.
Seems like rsa_private_keys
vs. pkcs8_private_keys
just let this problem just run into a wall instead of handling it.
from rustls.
It isn't clear. Are 1024-bit RSA private keys allowed?
from rustls.
It isn't clear. Are 1024-bit RSA private keys allowed?
no
from rustls.
I believe this (specifically, good errors when rejecting 1024-bit keys) has been addressed upstream.
from rustls.
Related Issues (20)
- The support for "mipsel-unknown-linux-musl" has failed. HOT 2
- Io(Custom { kind: InvalidData, error: AlertReceived(HandshakeFailure) }) HOT 6
- Linux compilation is slow and seems unable to store compilation results HOT 3
- Incompatible License HOT 1
- unbuffered: After `Closed` no `WriteTraffic` state arrives HOT 4
- Side-Channel Attack Mitigations in Rustls HOT 2
- Suggest registering for OpenSSF Best Practices badge HOT 3
- Pass ClientHello by reference to ResolvesServerCert HOT 2
- GHSA-6g7w-8wpp-frhj and CVE-2024-32650 don't make it clear that async rustls servers aren't susceptible HOT 2
- AWS LC fails against golang TLS server while ring works fine HOT 6
- Rustls w/ aws-lc-rs on Windows requires NASM HOT 30
- Making impl ClientHelloPayload public ? HOT 21
- Question. Does rustls have something to hide cert (as it is sensitive data ) in binary and memory HOT 3
- Verify that SigningKey matches public key within certificate HOT 6
- Ensuring that a provider based on the one built-in is used HOT 3
- Compile error when target is watchos HOT 2
- Expose ability to customize ClientHello message HOT 4
- How I use CryptoProvider::install_default() ? HOT 2
- Illegal instruction on arm-a72 HOT 3
- Add RustCrypto cryptographic backend HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rustls.