Comments (11)
Ylianst
commented on May 28, 2024
This is not good. Do you have a way to generate such a certificate or have a sample certificate your can mail me? I imagine only the public portion on the certificate is provided to MeshCentral? - Thanks.
from meshcentral.
commented on May 28, 2024
@Ylianst I can confirm that an error message appears when you replace the default webserver certificate with an ECDSA certificate. This is the error message in question from mesherrors.txt:
-------- 10/26/2018, 6:08:12 PM ---- 0.2.2-m --------
/meshcentral/node_modules/node-forge/js/x509.js:1274
throw new Error('Cannot read public key. OID is not RSA.');
^
Error: Cannot read public key. OID is not RSA.
at Object.pki.certificateFromAsn1 (/meshcentral/node_modules/node-forge/js/x509.js:1274:11)
at Object.pki.certificateFromPem (/meshcentral/node_modules/node-forge/js/x509.js:716:14)
at Object.obj.GetMeshServerCertificate (/meshcentral/node_modules/meshcentral/certoperations.js:230:42)
at CreateMeshCentralServer.obj.StartEx2 (/meshcentral/node_modules/meshcentral/meshcentral.js:385:35)
at Server.<anonymous> (/meshcentral/node_modules/meshcentral/redirserver.js:108:13)
at Object.onceWrapper (events.js:273:13)
at Server.emit (events.js:182:13)
at emitListeningNT (net.js:1320:10)
at process._tickCallback (internal/process/next_tick.js:63:19)
Here is the public portion of an ECDSA certificate that you can use for testing purposes:
-----BEGIN CERTIFICATE-----
MIIBtjCCAV0CFGuQrjcG9YbJi+rU5i3OMORbcmVGMAoGCCqGSM49BAMCMF4xCzAJ
BgNVBAYTAlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRIwEAYDVQQHDAlTYW4gRGll
Z28xEDAOBgNVBAoMB0V4YW1wbGUxFDASBgNVBAMMC2V4YW1wbGUuY29tMB4XDTE4
MTAyNjE4MjcyN1oXDTE5MTAyNjE4MjcyN1owXjELMAkGA1UEBhMCVVMxEzARBgNV
BAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVNhbiBEaWVnbzEQMA4GA1UECgwHRXhh
bXBsZTEUMBIGA1UEAwwLZXhhbXBsZS5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMB
BwNCAAQzm9Cr/DMpsVBkjAIo+/E+bPYm/QXvsqXr8FlEjgu053hsSIG88eEAZDM6
J1I3HTuq0Frn+IqJfwpyezYA6LtzMAoGCCqGSM49BAMCA0cAMEQCIF2BAITu5kyo
oOsux/Uebq+pSLtt4esib26t2KnozFl+AiBgkGDBVgbeQrAR7mVGmd/KhnWa0ODv
Z/ucirO6TkfDog==
-----END CERTIFICATE-----
from meshcentral.
commented on May 28, 2024
I think I've discovered the cause of this issue. MeshCentral is using the node version of forge for its native TLS implementation in Javascript. According to this, this and this issue on their GitHub project page, forge doesn't support ECDSA certificates yet. Unless there is a viable alternative to forge, there's probably nothing @Ylianst can do to solve this issue other than to wait for them to implement support for it.
Edit: I think crypto-browserify might be a suitable alternative to forge that supports ECDSA.
from meshcentral.
Ylianst
commented on May 28, 2024
I may still be able to fix this because I don't need to do any certificate operations on this TLS cert, I just need to make sure the server and agents both see the same cert by having the same hash. So, if I work on this a bit I could hash the ECDSA cert on both sides correctly and not need ForgeJS at all.
Thanks for the ECDSA cert, I can give it a try.
from meshcentral.
commented on May 28, 2024
@Ylianst Awesome, I'm glad to hear that. Good luck with implementing this feature!
from meshcentral.
commented on May 28, 2024
@Ylianst I noticed that non-RSA cert hashes are being calculated after a recent commit, but it doesn't seem to be fully supported yet. The hashes that MeshCentral and MeshAgent calculate are different from each other. Is it supposed to be working right now?
from meshcentral.
Ylianst
commented on May 28, 2024
I got the server ready, but the agent is not. So ECDSA will not work yet. Hope to start testing with a ECDSA cert this week.
from meshcentral.
commented on May 28, 2024
@Ylianst You are on a roll lately. I love your passion for this project!
from meshcentral.
Ylianst
commented on May 28, 2024
Just published MeshCentral v0.2.4-a with ECDSA support for certificates in the reverse-proxy. Only the MacOS agent does not support it in this version (next time MacOS is compiled on our side, the support for ECDSA will be there).
To be clear, MeshCentral will only generate and handle RSA certificates on it's own, however, if a reverse-proxy like NGNIX is in front of MeshCentral and it has a ECDSA certificates, MeshCentral and the MeshAgents will handle it correctly.
Testing and feedback appreciated.
from meshcentral.
commented on May 28, 2024
@Ylianst I tested it and can confirm that MeshCentral works with ECDSA certificates now. I think you can close this issue.
from meshcentral.
whlsxl
commented on May 28, 2024
I use lego to generate the TLS cert, the default --key-type is ec256. When I link the cert file to webserver-cert-private.key & webserver-cert-public.crt, forge not support ECDSA.
But I think that's not a big deal, just incase someone has the same problem.
https://go-acme.github.io/lego/usage/cli/options/
digitalbazaar/forge#925
from meshcentral.
Related Issues (20)
- MacOS agent signing
- Multi Domain Agent Customization HOT 2
- Let's Encrypt fails to renew or create certificate, no errors HOT 3
- Clients cant connect to agentPort, attempted connections show up as "WEBREQUEST: (X.X.X.X) AgentPort: /agent.ashx" in server log HOT 2
- Ability to remove permanent invites HOT 2
- Problems with Filter\Search HOT 6
- My devices does not populate for some users (might be indirectly related to Issue 6065) HOT 10
- Install meshcentral on embedded devices or provide statically linked mips version of meshcommander. HOT 4
- WARNING:Failed to sign agent MeshService.exe: Error: Too few bytes to read ASN.1 value. HOT 2
- Consider adding timeout value to script execution
- Blank Screen Red Hat Enterprise Linux 8.2 root user HOT 7
- Chat URL Misspelling HOT 2
- Web Relay idle timeout
- ListDevices with --json param and without group ID does not return power state HOT 2
- Web Relay to other devices on a remote device's LAN HOT 8
- Letsencrypt DNS challenge HOT 1
- Google Search for OSS MeshCentral leads to https://meshcommander.com/meshcentral2 with redirect to https://meshcentral.com/info/ as down, 404@github-pages
- How connect rpi to Meshcentral occasionally? HOT 2
- Meshcntrl.js filter device by name that is number broken HOT 1
- PERFORMED POWER ACTION ERROR HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from meshcentral.