Comments (2)
krizhanovsky
commented on August 10, 2024
The following test from tempesta-tech/tempesta-test@5beb3e6 passes, while it generates very similar certificate
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
72:0b:ab:97:89:52:72:78:da:ed:06:11:9c:b2:8e:4f:82:52:4d:86
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = US, ST = Washington, L = Seattle, O = Tempesta Technologies Inc., OU = Testing, CN = tempesta-tech.com, emailAddress = [email protected]
Validity
Not Before: Jun 29 10:52:31 2024 GMT
Not After : Jun 30 10:52:31 2025 GMT
Subject: C = US, ST = Washington, L = Seattle, O = Tempesta Technologies Inc., OU = Testing, CN = tempesta-tech.com, emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:8b:32:4e:cc:0e:4e:25:34:69:48:1a:91:9c:4a:
70:81:8f:5b:8f:4b:6f:89:6e:8e:d0:c9:33:e5:d3:
67:5d:72:d1:29:79:95:09:2a:5b:8f:0d:70:77:75:
79:d0:d4:e4:9d:71:38:5d:b6:6c:2c:6c:90:20:d2:
8e:12:38:96:29
ASN1 OID: prime256v1
NIST CURVE: P-256
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:45:02:21:00:db:16:5e:e8:fa:9c:34:70:25:b3:de:22:03:
38:f8:1a:74:a3:d2:56:13:da:9e:af:9a:fa:e2:3b:2e:e8:97:
2f:02:20:65:e7:c3:fa:55:be:f2:6e:1f:04:e5:e7:89:91:ae:
7c:55:ca:e4:29:dc:b1:c8:1c:17:46:4b:8b:46:45:85:98
-----BEGIN CERTIFICATE-----
MIICXjCCAgSgAwIBAgIUcgurl4lScnja7QYRnLKOT4JSTYYwCgYIKoZIzj0EAwMw
ga4xCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdT
ZWF0dGxlMSMwIQYDVQQKDBpUZW1wZXN0YSBUZWNobm9sb2dpZXMgSW5jLjEQMA4G
A1UECwwHVGVzdGluZzEaMBgGA1UEAwwRdGVtcGVzdGEtdGVjaC5jb20xJTAjBgkq
hkiG9w0BCQEWFmluZm9AdGVtcGVzdGEtdGVjaC5jb20wHhcNMjQwNjI5MTA1MjMx
WhcNMjUwNjMwMTA1MjMxWjCBrjELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hp
bmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxIzAhBgNVBAoMGlRlbXBlc3RhIFRlY2hu
b2xvZ2llcyBJbmMuMRAwDgYDVQQLDAdUZXN0aW5nMRowGAYDVQQDDBF0ZW1wZXN0
YS10ZWNoLmNvbTElMCMGCSqGSIb3DQEJARYWaW5mb0B0ZW1wZXN0YS10ZWNoLmNv
bTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABIsyTswOTiU0aUgakZxKcIGPW49L
b4lujtDJM+XTZ11y0Sl5lQkqW48NcHd1edDU5J1xOF22bCxskCDSjhI4likwCgYI
KoZIzj0EAwMDSAAwRQIhANsWXuj6nDRwJbPeIgM4+Bp0o9JWE9qer5r64jsu6Jcv
AiBl58P6Vb7ybh8E5eeJka58VcrkKdyxyBwXRkuLRkWFmA==
-----END CERTIFICATE-----
from tempesta.
krizhanovsky
commented on August 10, 2024
The problem is actually in that Let's Encrypt sends us a certificate bundle, it's certificate concatinated with a CA certificate, and the CA uses secp384r1 EC, which we don't support:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
83:8f:6c:63:ce:b1:39:8c:62:06:62:83:15:c9:fd:de
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Internet Security Research Group, CN = ISRG Root X1
Validity
Not Before: Mar 13 00:00:00 2024 GMT
Not After : Mar 12 23:59:59 2027 GMT
Subject: C = US, O = Let's Encrypt, CN = E5
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:0d:0b:3a:8a:6b:61:8e:b6:ef:dc:5f:58:e7:c6:
42:45:54:ab:63:f6:66:61:48:0a:2e:59:75:b4:81:
02:37:50:b7:3f:16:79:dc:98:ec:a1:28:97:72:20:
1c:2c:cf:d5:7c:52:20:4e:54:78:5b:84:14:6b:c0:
90:ae:85:ec:c0:51:41:3c:5a:87:7f:06:4d:d4:fe:
60:d1:fa:6c:2d:e1:7d:95:10:88:a2:08:54:0f:99:
1a:4c:e6:ea:0a:ac:d8
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Certificate Sign, CRL Sign
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 Subject Key Identifier:
9F:2B:5F:CF:3C:21:4F:9D:04:B7:ED:2B:2C:C4:C6:70:8B:D2:D7:0D
X509v3 Authority Key Identifier:
79:B4:59:E6:7B:B6:E5:E4:01:73:80:08:88:C8:1A:58:F6:E9:9B:6E
Authority Information Access:
CA Issuers - URI:http://x1.i.lencr.org/
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
X509v3 CRL Distribution Points:
Full Name:
URI:http://x1.c.lencr.org/
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
1f:72:9d:34:45:42:41:da:a4:d0:b2:b2:b8:d2:26:4c:a7:51:
25:8d:42:da:ec:36:48:96:a3:ba:1a:a4:c8:63:d8:f0:2f:b3:
ce:cb:9f:67:e9:a0:9e:19:ea:d4:0d:8a:55:03:92:ca:43:84:
9d:46:f1:d5:cc:ba:df:ba:c1:02:28:71:f7:ba:fe:6d:cc:1b:
64:ce:ac:4c:32:1a:12:b8:91:fc:f2:e4:e8:b2:ac:f4:17:b4:
ba:85:71:80:e2:83:72:91:bd:b2:f0:f7:dc:9f:86:f4:b7:1f:
bf:52:bd:96:e0:e6:49:38:06:e9:73:45:20:de:6f:7c:8e:60:
b3:f9:4c:3f:2a:23:10:c7:48:cc:af:5b:95:c9:76:ff:5b:ca:
c4:ef:16:18:27:23:be:c4:35:9c:9f:cf:c2:df:0b:41:90:5f:
38:5c:95:5c:ff:2e:6c:0a:7f:6a:ed:dd:73:81:0a:58:6f:4c:
3b:9c:dc:c7:5a:93:f7:e3:57:44:67:55:5b:11:af:98:11:51:
01:a8:dc:88:c7:d7:30:4d:59:b8:69:a4:df:f1:8e:92:80:0c:
ed:99:23:66:69:5e:ca:89:0f:d4:b1:b3:99:f2:5c:51:df:6c:
ed:e7:ae:d7:ff:7f:7a:0e:57:95:77:7f:e7:91:ad:62:30:0c:
f8:2e:03:1b:98:bb:79:a3:6a:72:6d:85:fb:2c:58:20:fb:7a:
71:b6:ed:61:53:49:08:67:c7:5a:a1:c4:43:81:58:4a:d5:32:
16:7b:fc:b2:3c:aa:53:cc:a9:81:96:8d:27:d6:95:71:64:88:
08:b3:88:13:5f:d0:bf:fe:e8:2a:c9:d9:09:62:7d:db:ac:14:
e9:1a:86:d4:e6:0f:18:e8:b5:ce:e0:01:84:bc:3a:d5:cb:8f:
54:34:f6:f2:74:12:fd:ee:b3:f7:97:09:5e:ad:1e:2b:50:5c:
68:9e:9f:25:9b:26:6e:34:60:0f:9a:77:9a:f1:1f:e6:f7:50:
33:b3:02:12:f5:34:b4:76:ec:c7:62:39:98:71:c9:a0:00:47:
6f:c2:95:06:05:a9:fe:57:17:19:68:96:69:e3:b2:07:b4:4f:
f8:e7:c3:b6:f8:b6:3a:c6:a9:c5:78:95:ee:f3:55:b3:b7:cc:
96:b4:63:63:58:e8:29:aa:a6:9b:27:27:06:f0:2a:d7:80:04:
6e:dc:8b:b1:57:ce:4b:ae:81:f1:aa:64:78:55:f6:35:8e:17:
3c:46:15:e1:94:82:7b:c5:47:3e:b7:6b:11:19:36:c0:82:c6:
dd:3f:c4:1a:64:88:90:26:15:50:c4:a7:8e:62:5d:55:00:fd:
17:a3:5a:ff:ec:e6:5c:27
-----BEGIN CERTIFICATE-----
MIIEVzCCAj+gAwIBAgIRAIOPbGPOsTmMYgZigxXJ/d4wDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjQwMzEzMDAwMDAw
WhcNMjcwMzEyMjM1OTU5WjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCRTUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAAQNCzqK
a2GOtu/cX1jnxkJFVKtj9mZhSAouWXW0gQI3ULc/FnncmOyhKJdyIBwsz9V8UiBO
VHhbhBRrwJCuhezAUUE8Wod/Bk3U/mDR+mwt4X2VEIiiCFQPmRpM5uoKrNijgfgw
gfUwDgYDVR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1UdDgQWBBSfK1/PPCFPnQS37SssxMZw
i9LXDTAfBgNVHSMEGDAWgBR5tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcB
AQQmMCQwIgYIKwYBBQUHMAKGFmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0g
BAwwCjAIBgZngQwBAgEwJwYDVR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVu
Y3Iub3JnLzANBgkqhkiG9w0BAQsFAAOCAgEAH3KdNEVCQdqk0LKyuNImTKdRJY1C
2uw2SJajuhqkyGPY8C+zzsufZ+mgnhnq1A2KVQOSykOEnUbx1cy637rBAihx97r+
bcwbZM6sTDIaEriR/PLk6LKs9Be0uoVxgOKDcpG9svD33J+G9Lcfv1K9luDmSTgG
6XNFIN5vfI5gs/lMPyojEMdIzK9blcl2/1vKxO8WGCcjvsQ1nJ/Pwt8LQZBfOFyV
XP8ubAp/au3dc4EKWG9MO5zcx1qT9+NXRGdVWxGvmBFRAajciMfXME1ZuGmk3/GO
koAM7ZkjZmleyokP1LGzmfJcUd9s7eeu1/9/eg5XlXd/55GtYjAM+C4DG5i7eaNq
cm2F+yxYIPt6cbbtYVNJCGfHWqHEQ4FYStUyFnv8sjyqU8ypgZaNJ9aVcWSICLOI
E1/Qv/7oKsnZCWJ926wU6RqG1OYPGOi1zuABhLw61cuPVDT28nQS/e6z95cJXq0e
K1BcaJ6fJZsmbjRgD5p3mvEf5vdQM7MCEvU0tHbsx2I5mHHJoABHb8KVBgWp/lcX
GWiWaeOyB7RP+OfDtvi2OsapxXiV7vNVs7fMlrRjY1joKaqmmycnBvAq14AEbtyL
sVfOS66B8apkeFX2NY4XPEYV4ZSCe8VHPrdrERk2wILG3T/EGmSIkCYVUMSnjmJd
VQD9F6Na/+zmXCc=
-----END CERTIFICATE-----
We send the authority certificate only as is and do not use in any way, so we should not parse it and do not sepend memory for the certificate descriptor.
from tempesta.
Related Issues (20)
- Zero 'sent bytes' in access log for non-empty responses HOT 1
- Integrate `checkpatch.pl` to our build/commit pipeline HOT 2
- Crash on malformed server response.
- Edge Side Application Callbacks
- Memory leak found in ping flood
- Kernel BUG in hpack. HOT 1
- Make socket callbacks `sk_fill_write_queue` and `sk_write_xmit` reentable or close connection in case of -ENOMEM HOT 2
- No `POST` processing and subsequent crash HOT 6
- BUG at /root/tempesta/tls/x509_crt.c:874 HOT 1
- Hang with use-after-free in tfw_tls_conn_send+0x66 HOT 4
- Installer unable to operate with github
- `SETTINGS_NO_RFC7540_PRIORITIES` and RFC 9218 streams prioritization
- BUG at /root/tempesta/fw/cache.c:2027
- BUG in sock.c HOT 2
- Crash during Tempesta stop under heavy load HOT 2
- 400 bad request without `END_HEADERS` flag
- Invalid server connection reference counting
- Restart tempesta under heavy load HOT 3
- New bug under heavy load HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tempesta.