From agoyeneche at gmail.com  Mon Oct  7 08:22:03 2024
From: agoyeneche at gmail.com (Ariel Goyeneche)
Date: Mon, 7 Oct 2024 10:22:03 +0200
Subject: Ciphersuites configuration: unknown command
Message-ID: <CAD=KtTqfDySHNOcQGDcRtPR_vWPkg2GukuvJ-oq5_tPX4-98Ug@mail.gmail.com>

Hi Team,

If possible, I am looking for help on how to change the cipher on my
existing Unit instance.

*Background:*
We have been running Nginx Unit 1.28 for some time without problems on an
intranet installation. I built Unit from source to be able to work with a
specific python version (Python 3.9.12) I configured the built with openssl
option (./configure --openssl)
By default my current Unit instance is loading a now obsolete cipher
(AES256-GCM-SHA384). Therefore, I have the need to upgrade the ciphers.

*Issue*
When I am trying to add the following option:

    "tls": {
        "certificate": "bundle",
        "conf_commands": {
            "ciphersuites": "ECDHE-RSA-AES256-GCM-SHA384",
            "minprotocol": "TLSv1.2"
        }
    }
I get an error saying: *unknown command "ciphersuites" in "conf_commands"
option (386: unknown cmd name)*


Even when I try to load the existing cipher, I have the same error:

    "tls": {
        "certificate": "bundle",
        "conf_commands": {
            "ciphersuites": "AES256-GCM-SHA384",
            "minprotocol": "TLSv1.2"
        }
    }
*unknown command "ciphersuites" in "conf_commands" option (386: unknown cmd
name)*


My openssl -ciphers -v list includes AES256-GCM-SHA384 and
ECDHE-RSA-AES256-GCM-SHA384.

*Questions*
Would it be possible that I am typing something wrong? is this the correct
approach? or it may be that I need to upgrade my Unit version?

Thanks in advance
AG
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/unit/attachments/20241007/8b30a0a4/attachment.htm>

From andrew at digital-domain.net  Mon Oct  7 13:19:51 2024
From: andrew at digital-domain.net (Andrew Clayton)
Date: Mon, 7 Oct 2024 14:19:51 +0100
Subject: Ciphersuites configuration: unknown command
In-Reply-To: <CAD=KtTqfDySHNOcQGDcRtPR_vWPkg2GukuvJ-oq5_tPX4-98Ug@mail.gmail.com>
References: <CAD=KtTqfDySHNOcQGDcRtPR_vWPkg2GukuvJ-oq5_tPX4-98Ug@mail.gmail.com>
Message-ID: <20241007141951.4a90e206@kappa.digital-domain.net>

On Mon, 7 Oct 2024 10:22:03 +0200
Ariel Goyeneche <agoyeneche at gmail.com> wrote:

> Hi Team,

Hello,

[...]

> *Issue*
> When I am trying to add the following option:
> 
>     "tls": {
>         "certificate": "bundle",
>         "conf_commands": {
>             "ciphersuites": "ECDHE-RSA-AES256-GCM-SHA384",
>             "minprotocol": "TLSv1.2"
>         }
>     }
> I get an error saying: *unknown command "ciphersuites" in "conf_commands"
> option (386: unknown cmd name)*

Hmm, looking at the SSL_CONF_cmd(3ossl) man-page, I'm wondering if you
simply need to prefix the command with "-"?, i.e.

  "-ciphersuites": ...

'minprotocol' however looks a little different...

  "MinProtocol": ...

Hope that helps...

Cheers,
Andrew

From agoyeneche at gmail.com  Tue Oct  8 08:13:17 2024
From: agoyeneche at gmail.com (Ariel Goyeneche)
Date: Tue, 8 Oct 2024 10:13:17 +0200
Subject: Ciphersuites configuration: unknown command
In-Reply-To: <20241007141951.4a90e206@kappa.digital-domain.net>
References: <CAD=KtTqfDySHNOcQGDcRtPR_vWPkg2GukuvJ-oq5_tPX4-98Ug@mail.gmail.com>
 <20241007141951.4a90e206@kappa.digital-domain.net>
Message-ID: <CAD=KtTp0ffGbQM=DgXuL4KxLT5YUwuer1hbt_NMBnrDQw98X2A@mail.gmail.com>

Hi Andrew,

Thanks for the answer. I believe that you are suggesting that these
parameters are passed through to the underlying ssl as command line
parameters.
I tried all possible alternatives that I was able to find online (-, camel
case, lower case underscore separated) but I am always getting the same
error
 *unknown command "ciphersuites" in "conf_commands"
 *unknown command "-ciphersuites" in "conf_commands"
 *unknown command "ciphers" in "conf_commands"
 *unknown command "-ciphers" in "conf_commands"

Anyone else in the community that managed to get this config working please?
My openssl version is : OpenSSL 1.0.2k-fips 26 Jan 2017

Thanks
AG


On Mon, 7 Oct 2024 at 15:19, Andrew Clayton <andrew at digital-domain.net>
wrote:

> On Mon, 7 Oct 2024 10:22:03 +0200
> Ariel Goyeneche <agoyeneche at gmail.com> wrote:
>
> > Hi Team,
>
> Hello,
>
> [...]
>
> > *Issue*
> > When I am trying to add the following option:
> >
> >     "tls": {
> >         "certificate": "bundle",
> >         "conf_commands": {
> >             "ciphersuites": "ECDHE-RSA-AES256-GCM-SHA384",
> >             "minprotocol": "TLSv1.2"
> >         }
> >     }
> > I get an error saying: *unknown command "ciphersuites" in "conf_commands"
> > option (386: unknown cmd name)*
>
> Hmm, looking at the SSL_CONF_cmd(3ossl) man-page, I'm wondering if you
> simply need to prefix the command with "-"?, i.e.
>
>   "-ciphersuites": ...
>
> 'minprotocol' however looks a little different...
>
>   "MinProtocol": ...
>
> Hope that helps...
>
> Cheers,
> Andrew
>


-- 
Ariel Goyeneche
www.goyeneche.co.uk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/unit/attachments/20241008/cf677478/attachment.htm>

From andrew at digital-domain.net  Tue Oct  8 16:17:10 2024
From: andrew at digital-domain.net (Andrew Clayton)
Date: Tue, 8 Oct 2024 17:17:10 +0100
Subject: Ciphersuites configuration: unknown command
In-Reply-To: <CAD=KtTp0ffGbQM=DgXuL4KxLT5YUwuer1hbt_NMBnrDQw98X2A@mail.gmail.com>
References: <CAD=KtTqfDySHNOcQGDcRtPR_vWPkg2GukuvJ-oq5_tPX4-98Ug@mail.gmail.com>
 <20241007141951.4a90e206@kappa.digital-domain.net>
 <CAD=KtTp0ffGbQM=DgXuL4KxLT5YUwuer1hbt_NMBnrDQw98X2A@mail.gmail.com>
Message-ID: <20241008171710.670b253c@kappa.digital-domain.net>

On Tue, 8 Oct 2024 10:13:17 +0200
Ariel Goyeneche <agoyeneche at gmail.com> wrote:

> Hi Andrew,
> 
> Thanks for the answer. I believe that you are suggesting that these
> parameters are passed through to the underlying ssl as command line
> parameters.
> I tried all possible alternatives that I was able to find online (-, camel
> case, lower case underscore separated) but I am always getting the same
> error
>  *unknown command "ciphersuites" in "conf_commands"
>  *unknown command "-ciphersuites" in "conf_commands"
>  *unknown command "ciphers" in "conf_commands"
>  *unknown command "-ciphers" in "conf_commands"
> 
> Anyone else in the community that managed to get this config working please?
> My openssl version is : OpenSSL 1.0.2k-fips 26 Jan 2017

OK, so the following works for me with OpenSSL 3.2.2

  "tls": {
      "certificate": "bundle",
      "conf_commands": {
          "ciphersuites": "TLS_AES_256_GCM_SHA384",
          "minprotocol": "TLSv1.2"
      }
  }

For OpenSSL 1.0.2 it looks like you should use "cipher" (singular)
instead of "ciphersuites".

MinProtocol isn't in 1.0.2, but there is 'Protocol' that you may be
able to use instead (however it's deprecated in favour of MinProtocol &
MaxProtocol in newer versions).

From the 1.0.2 SSL_CONF_cmd(3ossl) man-page for 'Protocol'

  "The supported versions of the SSL or TLS protocol.

   The value argument is a comma separated list of supported
   protocols to enable or disable. If an protocol is preceded
   by - that version is disabled. Currently supported protocol
   values are SSLv2, SSLv3, TLSv1, TLSv1.1 and TLSv1.2. All
   protocol versions other than SSLv2 are enabled by default.
   To avoid inadvertent enabling of SSLv2, when SSLv2 is
   disabled, it is not possible to enable it via the Protocol
   command."