ADH connections

gistfile1.md

I am trying to enable ADH (Anonymous Diffie-Hellman) cipher suite but cannot seem to get a connection.

I have verified the cipher suites attempted here are available through openssl ciphers -v ALL

This is attempting to start cowboy through Elixir

Note: cert_file, key_file, dh_file are functions that return a charlist to the respective files

@http_port 8002
:cowboy.start_tls(
      __MODULE__,
      [
      :inet6,
      {:ssl_imp, :new},
      {:port, @http_port},
      {:certfile, cert_file()},
      {:keyfile, key_file()},
      {:ciphers, [{:dhe_rsa, :aes_128_cbc, :sha256}, {:dh_anon, :aes_128_cbc, :sha}, {:dh_anon, :aes_256_gcm, :null, :sha384}]},
      {:secure_renegotiate, true},
      {:reuse_sessions, true},
      {:dhfile, dh_file()},
      {:versions, [:'tlsv1.2']}
    ],
      %{env: %{dispatch: dispatch}}
    )
    

Here is the output trying to connect with the openssl client (version 1.1.0f)

The first is connecting using a DH cipher just to make sure I could make a connection and my DH file seemed to load correctly. (I believe this shows that is working) THIS IS NOT THE CIPHER I NEED TO WORK.

The following attempts are trying to connect using ADH ciphers

NOTE: The last connection trying to make is the command I need to run succesfully.

chris@chrisdev:~/openssl-OpenSSL_1_1_0f$ LD_LIBRARY_PATH=. apps/openssl s_client -connect  192.168.100.6:8002 -cipher DHE-RSA-AES128-SHA256
CONNECTED(00000003)
depth=0 C = US, ST = Texas, O = Nine Nines, OU = Cowboy, CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Texas, O = Nine Nines, OU = Cowboy, CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Texas/O=Nine Nines/OU=Cowboy/CN=localhost
   i:/C=US/ST=Texas/O=Nine Nines/OU=Cowboy/CN=ROOT CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICpTCCAg6gAwIBAgIJAOvpU0y2e5J5MA0GCSqGSIb3DQEBBQUAMFUxCzAJBgNV
BAYTAlVTMQ4wDAYDVQQIDAVUZXhhczETMBEGA1UECgwKTmluZSBOaW5lczEPMA0G
A1UECwwGQ293Ym95MRAwDgYDVQQDDAdST09UIENBMB4XDTEzMDIyODA1MjMzNFoX
DTMzMDIyMzA1MjMzNFowVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVRleGFzMRMw
EQYDVQQKDApOaW5lIE5pbmVzMQ8wDQYDVQQLDAZDb3dib3kxEjAQBgNVBAMMCWxv
Y2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAzbW1GjECzHUc/WST
qLiAGqjCNccR5saVS+yoz2SPRhpoyf0/qBrX5BY0tzmgozoTiRfE4wCiVD99Cc+D
rp/FM49r4EpZdocIovprmOmv/gwkoj95zaA6PKNn1OdmDp2hwJsX2Zm3kpbGUZTx
jDkkccmgUb4EjL7qNHq7saQtivUCAwEAAaN7MHkwCQYDVR0TBAIwADAsBglghkgB
hvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYE
FB6jTEIWI8T1ckORA4GezbyYxtbvMB8GA1UdIwQYMBaAFEp9nwoXaOUsEOY0voi4
S4ZjSl1vMA0GCSqGSIb3DQEBBQUAA4GBACMboVQjrx8u/fk3gl/sR0tbA0Wf/NcS
2Dzsy2czndgVUAG4Sqb+hfgn0dqAyUKghRrj3JDcYxYksGPIklDfPzZb7yJ39l16
6x5ZiIzhp8CAVdPvRxRznw5rZwaXesryXu1jVSZxTr3MYZdkG6KaAM0t90+YlGLZ
UG8fAicx0Bf+
-----END CERTIFICATE-----
subject=/C=US/ST=Texas/O=Nine Nines/OU=Cowboy/CN=localhost
issuer=/C=US/ST=Texas/O=Nine Nines/OU=Cowboy/CN=ROOT CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 1542 bytes and written 460 bytes
Verification error: unable to verify the first certificate
---
New, TLSv1.2, Cipher is DHE-RSA-AES128-SHA256
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES128-SHA256
    Session-ID: CE2A7CA35FD5C87FC7D205AA0A68DB34D3A0CBA8A4D1F99841B12530DE524C74
    Session-ID-ctx:
    Master-Key: 7E1FFF877B61378FD0C50F3E402B84D7277DF9625403F74DAE286AE212502FA21AD524ABC690F46157AFA7FDB347E3AD
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1519178195
    Timeout   : 7200 (sec)
    Verify return code: 21 (unable to verify the first certificate)
    Extended master secret: no
---
closed
chris@chrisdev:~/openssl-OpenSSL_1_1_0f$ LD_LIBRARY_PATH=. apps/openssl s_client -connect  192.168.100.6:8002 -cipher ADH-AES128-SHA
CONNECTED(00000003)
140076317005632:error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available:ssl/statem/statem_clnt.c:800:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1519178248
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
chris@chrisdev:~/openssl-OpenSSL_1_1_0f$ LD_LIBRARY_PATH=. apps/openssl s_client -connect  192.168.100.6:8002 -cipher @SECLEVEL=0:ADH-AES128-SHA
CONNECTED(00000003)
139773659223872:error:1409442F:SSL routines:ssl3_read_bytes:tlsv1 alert insufficient security:ssl/record/rec_layer_s3.c:1399:SSL alert number 71
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 102 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1519178264
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
chris@chrisdev:~/openssl-OpenSSL_1_1_0f$ LD_LIBRARY_PATH=. apps/openssl s_client -connect  192.168.100.6:8002 -cipher @SECLEVEL=0:ADH-AES256-GCM-SHA384
CONNECTED(00000003)
140244636743488:error:1416D099:SSL routines:tls_process_key_exchange:extra data in message:ssl/statem/statem_clnt.c:1745:
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: DH, 2048 bits
---
SSL handshake has read 746 bytes and written 109 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 6470C4091B6C0EDA38FA5ACA01D7F16304762434783F6DD2AF76969B0E61970E
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1519178290
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

If I create a server with openssl

chris@chrisdev:~/openssl-OpenSSL_1_1_0f$ LD_LIBRARY_PATH=. apps/openssl s_server -6 -accept 8443 -nocert -cipher @SECLEVEL=0:ADH-AES256-GCM-SHA384
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFoCAQECAgMDBAIApwQABDAs1eFbU9oVHM1HdTfRnj0JioBavNWUoXHnY1JpWi1d
3WQkdorAaaV3XQGA0uzmwvuhBgIEWozVQaIEAgIcIKQGBAQBAAAArQMCAQE=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ADH-AES256-GCM-SHA384
Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
CIPHER is ADH-AES256-GCM-SHA384
Secure Renegotiation IS supported

I am able to connect to it with the last command from above

chris@chrisdev:~/openssl-OpenSSL_1_1_0f$ LD_LIBRARY_PATH=. apps/openssl s_client -connect  localhost:8443 -cipher @SECLEVEL=0:ADH-AES256-GCM-SHA384
CONNECTED(00000003)
---
no peer certificate available
---
No client certificate CA names sent
Server Temp Key: DH, 3072 bits
---
SSL handshake has read 1081 bytes and written 548 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ADH-AES256-GCM-SHA384
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ADH-AES256-GCM-SHA384
    Session-ID: 3353CC58E7C0913D9FAF9968CDB676F31CE3DEB208D8B7BFDA7A4859751250D9
    Session-ID-ctx:
    Master-Key: 2CD5E15B53DA151CCD477537D19E3D098A805ABCD594A171E76352695A2D5DDD6424768AC069A5775D0180D2ECE6C2FB
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - f8 33 0f a8 6d f4 6f dc-f9 bc ab d0 e2 bf e6 e2   .3..m.o.........
    0010 - da c4 8a fc 60 fa 2a be-b2 fc e6 b9 19 c1 5b e4   ....`.*.......[.
    0020 - 10 ae 96 44 6b 19 76 12-51 71 c0 bd cb 69 41 1a   ...Dk.v.Qq...iA.
    0030 - 83 0d a4 0e 92 09 33 4f-8a 9a c6 9e 5b bb 45 d2   ......3O....[.E.
    0040 - 32 04 39 7c 93 6b bc 74-3a c5 fc f5 cd bb 30 f7   2.9|.k.t:.....0.
    0050 - 46 78 28 44 f3 6d 71 92-2b 0e 5c f3 92 72 c3 b8   Fx(D.mq.+.\..r..
    0060 - d0 14 ce 7b e2 2f eb 07-34 a6 12 65 cb 42 3c d5   ...{./..4..e.B<.
    0070 - 14 ca c9 20 71 eb cc c2-bf 86 43 05 50 19 ee 39   ... q.....C.P..9
    0080 - 7b f1 47 dd 66 cd b0 8f-ac c0 09 18 b4 5b 60 b7   {.G.f........[`.
    0090 - f7 6e a9 55 7c b8 8f 10-03 0b a7 45 5f ee 7e cd   .n.U|......E_.~.

    Start Time: 1519179073
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---