Develop Reference

Node.js says it's using tls1.2 when minVersion set to 1.3 and connecting with a client using 1.3

I'm using HttpClient of .net core with with:
clientHandler.ClientCertificates.Add(cert);
_clientHandler.ServerCertificateCustomValidationCallback=VerifyServerCertificate;
_clientHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
_clientHandler.SslProtocols= SslProtocols.Tls13;
HttpClient Client = new HttpClient(_clientHandler);
on the node side (I have node version v12.8.0) I set the server options like this:
var options = {
key: fs.readFileSync('server-key.pem'),
cert: fs.readFileSync('server-crt.pem'),
ca: fs.readFileSync(config.ca),
requestCert: true,
rejectUnauthorized: true,
enableTrace: true,
minVersion: 'TLSv1.3',
maxVersion: 'TLSv1.3'
};
here's the tls trace:
Received Record
Header:
Version = TLS 1.0 (0x301)
Content Type = Handshake (22)
Length = 223
ClientHello, Length=219
client_version=0x303 (TLS 1.2)
Random:
gmt_unix_time=0xEEC5687E
random_bytes (len=28): 24761EF6E5B5B89F5333E9BCF87A28E55A4B598DDB0848049 A66DA26
session_id (len=0):
cipher_suites (len=56)
{0xC0, 0x2C} TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
{0xC0, 0x30} TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
{0x00, 0x9F} TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
{0xCC, 0xA9} TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
{0xCC, 0xA8} TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
{0xCC, 0xAA} TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
{0xC0, 0x2B} TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
{0xC0, 0x2F} TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
{0x00, 0x9E} TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
{0xC0, 0x24} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
{0xC0, 0x28} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
{0x00, 0x6B} TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
{0xC0, 0x23} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
{0xC0, 0x27} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
{0x00, 0x67} TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
{0xC0, 0x0A} TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
{0xC0, 0x14} TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
{0x00, 0x39} TLS_DHE_RSA_WITH_AES_256_CBC_SHA
{0xC0, 0x09} TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
{0xC0, 0x13} TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
{0x00, 0x33} TLS_DHE_RSA_WITH_AES_128_CBC_SHA
{0x00, 0x9D} TLS_RSA_WITH_AES_256_GCM_SHA384
{0x00, 0x9C} TLS_RSA_WITH_AES_128_GCM_SHA256
{0x00, 0x3D} TLS_RSA_WITH_AES_256_CBC_SHA256
{0x00, 0x3C} TLS_RSA_WITH_AES_128_CBC_SHA256
{0x00, 0x35} TLS_RSA_WITH_AES_256_CBC_SHA
{0x00, 0x2F} TLS_RSA_WITH_AES_128_CBC_SHA
{0x00, 0xFF} TLS_EMPTY_RENEGOTIATION_INFO_SCSV
compression_methods (len=1)
No Compression (0x00)
extensions, length = 122
extension_type=server_name(0), length=30
0000 - 00 1c 00 00 19 74 65 73-74 2e 61 72 74 69 73 .....test.artis
000f - 61 6e 6d 65 64 69 63 61-6c 2e 63 6f 2e 69 6c anmedical.co.il
extension_type=ec_point_formats(11), length=4
uncompressed (0)
ansiX962_compressed_prime (1)
ansiX962_compressed_char2 (2)
extension_type=supported_groups(10), length=10
ecdh_x25519 (29)
secp256r1 (P-256) (23)
secp521r1 (P-521) (25)
secp384r1 (P-384) (24)
extension_type=signature_algorithms(13), length=32
rsa_pkcs1_sha512 (0x0601)
dsa_sha512 (0x0602)
ecdsa_secp521r1_sha512 (0x0603)
rsa_pkcs1_sha384 (0x0501)
dsa_sha384 (0x0502)
ecdsa_secp384r1_sha384 (0x0503)
rsa_pkcs1_sha256 (0x0401)
dsa_sha256 (0x0402)
ecdsa_secp256r1_sha256 (0x0403)
rsa_pkcs1_sha224 (0x0301)
dsa_sha224 (0x0302)
ecdsa_sha224 (0x0303)
rsa_pkcs1_sha1 (0x0201)
dsa_sha1 (0x0202)
ecdsa_sha1 (0x0203)
extension_type=next_proto_neg(13172), length=0
extension_type=application_layer_protocol_negotiation(16), length=14
h2
http/1.1
extension_type=encrypt_then_mac(22), length=0
extension_type=extended_master_secret(23), length=0
Sent Record
Header:
Version = TLS 1.2 (0x303)
Content Type = Alert (21)
Length = 2
Level=fatal(2), description=protocol version(70)
The error on the c# side is: The client and server cannot communicate, because they do not possess a common algorithm.
Why is node using tls1.2 when I set the minVersion to 1.3?

According to .NET Core 3 documentation (https://learn.microsoft.com/en-us/dotnet/core/whats-new/dotnet-core-3-0), TLS 1.3 is not yet supported in Windows or macOS (only Linux, with OpenSSL v1.1.1 or above).
If the client was using TLS 1.3 then it should say so in the 7th line of the trace. Your NodeJS server is behaving properly. It's the one rejecting the connection because the client is actually trying to connect using TLS 1.2.

fabric-ca-server is not able to start with softhsm configuration

I have enabled the PKCS11 in fabric ca , but when starting the fabric-ca-server natively then throwing below error. Please note it works fine with default SW option.
Checkout the fabric-ca v1.3.0
Update BCCSP property as below
bccsp:
default: PKCS11
pkcs11:
library: /usr/local/lib/softhsm/libsofthsm2.so
pin: daily123
label: org1label
hash: SHA2
security: 256
filekeystore:
# The directory used for the software file-based keystore
keystore: msp/keystore
Run server with command
./fabric-ca-server start -b admin:adminpw -d
Error2018/10/12 07:27:01 [INFO] Configuration file location: /opt/gopath/bin/fabric-ca-server-config.yaml
2018/10/12 07:27:01 [INFO] Starting server in home directory: /opt/gopath/bin
2018/10/12 07:27:01 [INFO] Server Version: 1.3.0
2018/10/12 07:27:01 [INFO] Server Levels: &{Identity:1 Affiliation:1 Certificate:1 Credential:1 RAInfo:1 Nonce:1}
2018/10/12 07:27:01 [DEBUG] Making server filenames absolute
2018/10/12 07:27:01 [DEBUG] Initializing default CA in directory /opt/gopath/bin
2018/10/12 07:27:01 [DEBUG] Init CA with home /opt/gopath/bin and config {Version:1.3.0 Cfg:{Identities:{AllowRemove:false} Affiliations:{AllowRemove:false}} CA:{Name: Keyfile: Certfile:ca-cert.pem Chainfile:ca-chain.pem} Signing:0xc4204ce7d0 CSR:{CN:fabric-ca-server Names:[{C:US ST:North Carolina L: O:Hyperledger OU:Fabric SerialNumber:}] Hosts:[safenet localhost] KeyRequest:0xc4204b1ac0 CA:0xc4204b1b40 SerialNumber:} Registry:{MaxEnrollments:-1 Identities:[{ Name:**** Pass:**** Type:client Affiliation: MaxEnrollments:0 Attrs:map[hf.Registrar.Roles:* hf.Registrar.DelegateRoles:* hf.Revoker:1 hf.IntermediateCA:1 hf.GenCRL:1 hf.Registrar.Attributes:* hf.AffiliationMgr:1] }]} Affiliations:map[org2:[department1] org1:[department1 department2]] LDAP:{ Enabled:false URL:ldap://****:****#<host>:<port>/<base> UserFilter:(uid=%s) GroupFilter:(memberUid=%s) Attribute:{[uid member] [{ }] map[groups:[{ }]]} TLS:{false [] { }} } DB:{ Type:sqlite3 Datasource:fabric-ca-server.db TLS:{false [] { }} } CSP:0xc4204de060 Client:<nil> Intermediate:{ParentServer:{ URL: CAName: } TLS:{Enabled:false CertFiles:[] Client:{KeyFile: CertFile:}} Enrollment:{ Name: Secret:**** CAName: AttrReqs:[] Profile: Label: CSR:<nil> Type:x509 }} CRL:{Expiry:24h0m0s} Idemix:{IssuerPublicKeyfile: IssuerSecretKeyfile: RevocationPublicKeyfile: RevocationPrivateKeyfile: RHPoolSize:1000 NonceExpiration:15s NonceSweepInterval:15m}}
2018/10/12 07:27:01 [DEBUG] CA Home Directory: /opt/gopath/bin
2018/10/12 07:27:01 [DEBUG] Checking configuration file version '1.3.0' against server version: '1.3.0'
2018/10/12 07:27:01 [DEBUG] Initializing BCCSP: &{ProviderName:PKCS11 SwOpts:<nil> PluginOpts:<nil>}
2018/10/12 07:27:01 [DEBUG] Closing server DBs
Error: Failed to initialize BCCSP Factories: %!s(<nil>)
Could not find defaultPKCS11BCCSP

It works fine with latest fabric-ca images (as of now latest 1.4.0-snapshot-cb7353f).

If you use fabric-ca 1.3 code base, follow below steps to make it work
GO_TAGS=pkcs11 make fabric-ca-server
update fabric-ca-server-config.yaml with the softHSM data like token, label, pin, library (follow here https://hyperledger-fabric-ca.readthedocs.io/en/release-1.3/users-guide.html#configuring-fabric-ca-server-to-use-softhsm2)
restart fabric-ca server with fabric-ca-server start -b admin:adminpw
fabric-ca server is restarted as expected.

SSL handshake faillure with node.js server

I'm currently trying to create a secure connection with socket.io, and I really can't achieve that for now. Trying to check if my certificates are rights, I tried to create a basic https server in nodeJS.
var fs = require('fs');
var certDir = "/path/to/the/certificates/cert-test/";
require("https").createServer(
{
key : fs.readFileSync(certDir + 'srv.key'),
cert : fs.readFileSync(certDir + 'crt.pem'),
},
function(request, response){
response.writeHeader(200, {"Content-Type": "text/plain"});
response.write("Hello World!\n");
response.end();
}).listen(8082).on('clientError', function(e){
console.log(e);
});
The equivalent with http works fine, but it's impossible to make this one work. I upgraded the node version to v0.12.4, npm to 2.11.0, https is 1.0.0 (and for further enquiries, socket.io is 1.3.5). The server is on AWS , with a bitnami instance, Ubuntu 12.04.5 LTS, kernel version 3.2.0-84-virtual and OpenSSL is 1.0.1i.
I try to reach the server through https://node.foobar.com:8082 (both in my browser and with curl), but I never achieve a proper handshake.
The server detects the following errors :
[Error: 3074971392:error:1408A0C1:SSL
routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:../deps/openssl/openssl/ssl/s3_srvr.c:1389: ]
[Error: 3074971392:error:140A1175:SSL
routines:SSL_BYTES_TO_CIPHER_LIST:inappropriate
fallback:../deps/openssl/openssl/ssl/ssl_lib.c:1481: ]
I tried to check the ciphers available on the server and the ones available on my computer, and there are many matches. So guys, I'm really out of ideas, and I would appreciate some help...
EDIT
output for openssl x509 -in crt.pem -inform PEM -text -noout :
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
af:b7:19:35:7b:0e:87:38
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2
Validity
Not Before: Jan 6 10:11:41 2015 GMT
Not After : Jan 25 08:15:28 2016 GMT
Subject: OU=Domain Control Validated, CN=node.foobar.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ce:93:8c:6a:0a:54:d8:b8:02:94:0d:d4:23:98:
80:98:5e:42:fb:b2:4a:f7:62:68:82:42:32:dc:6f:
5d:02:3a:b8:34:7c:9f:1c:e6:83:94:a3:1a:1e:25:
aa:58:69:4b:4d:76:8e:07:73:09:d3:6a:20:65:ad:
40:f5:a4:75:fa:51:79:af:94:1d:c3:39:c0:d4:70:
e0:f0:61:e7:26:d8:78:b8:58:7e:0e:85:22:a2:83:
09:69:85:f6:3e:b1:de:80:71:07:88:d8:9f:f9:6a:
8b:d4:ad:61:bc:c2:bb:98:6c:36:71:d8:20:3f:d1:
d4:d8:0e:91:d7:eb:42:3f:f3:98:97:fa:c4:cb:78:
04:c2:ef:12:ba:a5:cf:cd:05:44:ad:a1:cc:ff:04:
b9:e1:74:ab:09:8a:58:1b:11:e6:f9:8f:28:c2:39:
3d:71:1e:e4:e2:e4:a4:f7:45:94:04:f2:4a:fc:62:
ab:b5:9a:18:56:e8:40:4d:12:17:a7:26:07:54:db:
5b:87:99:56:9e:5c:94:28:0d:6c:29:9d:06:56:3b:
5e:c2:1f:6b:1f:6a:90:c2:97:24:77:63:32:26:f5:
25:d6:02:73:61:6b:69:20:39:a7:be:af:51:27:c5:
a5:b4:a4:1f:e2:36:fc:15:25:30:fe:08:8f:0a:12:
5f:c9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
Full Name:
URI:http://crl.godaddy.com/gdig2s1-87.crl
X509v3 Certificate Policies:
Policy: 2.16.840.1.114413.1.7.23.1
CPS: http://certificates.godaddy.com/repository/
Authority Information Access:
OCSP - URI:http://ocsp.godaddy.com/
CA Issuers - URI:http://certificates.godaddy.com/repository/gdig2.crt
X509v3 Authority Key Identifier:
keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE
X509v3 Subject Alternative Name:
DNS:foobar.com, DNS:www.foobar.com, DNS:www.foo.bar.com
X509v3 Subject Key Identifier:
70:FE:A0:B4:00:2E:14:98:B8:CA:BF:C8:63:A7:23:63:7C:FA:48:82
Signature Algorithm: sha256WithRSAEncryption
70:b7:dd:2b:ed:b9:7b:4e:4d:b1:13:26:7b:5d:f4:10:1f:28:
a4:b8:f5:99:4e:ee:34:56:b1:eb:06:19:d8:14:c8:28:44:fe:
63:f1:2e:58:73:c7:22:57:1a:4f:2c:00:ef:2b:f8:c6:52:09:
71:1a:68:00:35:a0:f8:df:57:c5:98:f8:43:68:ba:b5:ff:3e:
e1:a5:ad:6a:85:64:dd:40:72:d1:9d:04:61:54:cc:7c:92:c4:
b3:68:6a:77:32:1b:49:ea:6c:7e:28:c7:67:ce:1d:ed:29:49:
d6:9c:76:4d:a3:f1:a5:f5:0a:0a:92:72:7e:0a:1a:22:43:32:
18:9f:3f:fe:62:e0:57:ee:92:9d:fb:5f:bd:4b:c9:c4:1d:ba:
cb:0d:3c:b9:00:2f:79:fc:5d:cd:df:9e:d7:c9:79:3b:45:c4:
7c:ad:cb:47:6d:8e:82:cc:dd:8e:2d:86:fc:94:4b:bf:9d:8e:
37:37:90:1c:74:73:f1:93:e7:f1:c9:e3:e0:d9:5c:fb:d6:3d:
09:6b:d5:45:ab:47:d2:65:69:6c:af:81:08:35:6c:87:7f:dd:
fa:26:2e:8a:bf:4e:53:c1:70:1a:0a:e1:7f:e9:18:c5:82:f1:
90:9e:6c:29:7b:b7:cc:a3:25:3f:7f:8d:f3:b5:58:25:62:56:
64:50:43:b3
output for openssl s_client -connect node.foobar.com:8082 -tls1 -servername node.foobar.com:
CONNECTED(00000003)
3073997000:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1262:SSL alert number 40
3073997000:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1433377982
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
I tried openssl s_client -connect node.foobar.com:8082 -tls1_2 -servername node.foobar.com, and here is the answer I got :
CONNECTED(00000003)
3074009288:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1262:SSL alert number 40
3074009288:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1433466977
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
By the way, in order to keep the server up, it runs with the forever package (v0.14.1).
Available ciphers :
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
Output for openssl s_client -connect node.foobar.com:8082 -tls1 -cipher "ECDHE-RSA-AES256-GCM-SHA384" -servername node.foobar.com
CONNECTED(00000003)
3073722568:error:140830B5:SSL routines:SSL3_CLIENT_HELLO:no ciphers available:s3_clnt.c:757:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1433512430
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
By the way, as a subsidiary question, except for the http becoming a https for the request of the socket.io/socket.io.js file I have to get in order to create the connection, is there anything else I will have to change to be able to use this package on my website?
Thank you.

Here's what's going on.
$ openssl s_client -connect node.inkive.com:8082 -tls1 -servername node.inkive.com -cipher 'HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4' -debug
CONNECTED(00000003)
write to 0x7fbb02c23bb0 [0x7fbb0301cc03] (220 bytes => 220 (0xDC))
0000 - 16 03 01 00 d7 01 00 00-d3 03 01 1e 9d af 6b 4b ..............kK
0010 - ea d5 6c 84 44 b0 13 c5-77 ad 3c 98 4a 50 b3 19 ..l.D...w.<.JP..
0020 - 5c 84 d4 5e ae 58 dc 76-61 f0 9f 00 00 42 c0 14 \..^.X.va....B..
0030 - c0 0a 00 39 00 38 00 37-00 36 00 88 00 87 00 86 ...9.8.7.6......
0040 - 00 85 c0 0f c0 05 c0 13-c0 09 00 33 00 32 00 31 ...........3.2.1
0050 - 00 30 00 45 00 44 00 43-00 42 c0 0e c0 04 c0 12 .0.E.D.C.B......
0060 - c0 08 00 16 00 13 00 10-00 0d c0 0d c0 03 00 ff ................
0070 - 02 01 00 00 67 00 00 00-14 00 12 00 00 0f 6e 6f ....g.........no
0080 - 64 65 2e 69 6e 6b 69 76-65 2e 63 6f 6d 00 0b 00 de.inkive.com...
0090 - 04 03 00 01 02 00 0a 00-3a 00 38 00 0e 00 0d 00 ........:.8.....
00a0 - 19 00 1c 00 0b 00 0c 00-1b 00 18 00 09 00 0a 00 ................
00b0 - 1a 00 16 00 17 00 08 00-06 00 07 00 14 00 15 00 ................
00c0 - 04 00 05 00 12 00 13 00-01 00 02 00 03 00 0f 00 ................
00d0 - 10 00 11 00 23 00 00 00-0f 00 01 01 ....#.......
read from 0x7fbb02c23bb0 [0x7fbb03018603] (5 bytes => 5 (0x5))
0000 - 15 03 01 00 02 .....
read from 0x7fbb02c23bb0 [0x7fbb03018608] (2 bytes => 2 (0x2))
0000 - 02 28 .(
140735193977308:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1461:SSL alert number 40
140735193977308:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:645
The read of 15 03 01 00 02 is a TLS Record. Its what carries the TLS payload. The 03 01 is the TLS version. The 00 02 is the length of the payload.
The next two bytes are the payload, which is the alert. 02 is the alert, and 28 is the alert number, which is 40.
Alert 40 is Handshake Failure. According to RFC 5246 it is sent:
7.4.1.3. Server Hello
When this message will be sent:
The server will send this message in response to a ClientHello
message when it was able to find an acceptable set of algorithms.
If it cannot find such a match, it will respond with a handshake
failure alert.
I hate to answer a question with a question, but what protocols and cipher suites are enabled at the server?
Related, the node.js docs create a HTTPS server like this:
var https = require('https');
var fs = require('fs');
var options = {
key: fs.readFileSync('/path/to/the/certificates/cert-test/srv.key'),
cert: fs.readFileSync('/path/to/the/certificates/cert-test/crt.pem'),
};
https.createServer(options, function (req, res) {
res.writeHead(200);
res.end("hello world\n");
}).listen(8082);
You should probably try it since its the official way to create one. The function(request, response){...}).listen(8082) looks odd to me.
From the Edit:
Available ciphers :
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:...
... EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
Use "HIGH:!aNULL:!kRSA:!MD5:!RC4:!PSK:!SRP:!DSS:!DSA". It will get you Integer and Elliptic Curve Diffie-Hellman, and avoid the Obsolete Cryptography Warnings in browsers.
Also, don't enable SRP and PSK unless you are actually using them. Don't enable DSS unless you have a DSS/DSA key. And you need aNULL because anonymous protocols are enabled by default in OpenSSL. And don't enable those export grade cipher suites (EXP). And don't enable MEDIUM or LOW for that matter. All modern user agents have no trouble with HIGH.
Using the string above, here are the ciphers you are enabling:
$ openssl ciphers -v 'HIGH:!aNULL:!kRSA:!MD5:!RC4:!PSK:!SRP:!DSS:!DSA'
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA384
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
DH-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(256) Mac=AEAD
DH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(256) Mac=SHA256
DH-RSA-AES256-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA256
DH-DSS-AES256-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA256
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DH-RSA-AES256-SHA SSLv3 Kx=DH/RSA Au=DH Enc=AES(256) Mac=SHA1
DH-DSS-AES256-SHA SSLv3 Kx=DH/DSS Au=DH Enc=AES(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DH-RSA-CAMELLIA256-SHA SSLv3 Kx=DH/RSA Au=DH Enc=Camellia(256) Mac=SHA1
DH-DSS-CAMELLIA256-SHA SSLv3 Kx=DH/DSS Au=DH Enc=Camellia(256) Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
ECDH-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA384
ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA256
ECDHE-RSA-AES128-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
DH-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AESGCM(128) Mac=AEAD
DH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256 TLSv1.2 Kx=DH Au=RSA Enc=AES(128) Mac=SHA256
DH-RSA-AES128-SHA256 TLSv1.2 Kx=DH/RSA Au=DH Enc=AES(128) Mac=SHA256
DH-DSS-AES128-SHA256 TLSv1.2 Kx=DH/DSS Au=DH Enc=AES(128) Mac=SHA256
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DH-RSA-AES128-SHA SSLv3 Kx=DH/RSA Au=DH Enc=AES(128) Mac=SHA1
DH-DSS-AES128-SHA SSLv3 Kx=DH/DSS Au=DH Enc=AES(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DH-RSA-CAMELLIA128-SHA SSLv3 Kx=DH/RSA Au=DH Enc=Camellia(128) Mac=SHA1
DH-DSS-CAMELLIA128-SHA SSLv3 Kx=DH/DSS Au=DH Enc=Camellia(128) Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
ECDH-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA256
ECDH-RSA-AES128-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128) Mac=SHA1
ECDH-ECDSA-AES128-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128) Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DH-RSA-DES-CBC3-SHA SSLv3 Kx=DH/RSA Au=DH Enc=3DES(168) Mac=SHA1
DH-DSS-DES-CBC3-SHA SSLv3 Kx=DH/DSS Au=DH Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1

just want to remind you that there is no response.writeHeader() method, it should be response.writeHead().
ref:https://nodejs.org/api/http.html#http_response_writehead_statuscode_statusmessage_headers

If the client isn't affected, you might want to do
const tls = require('tls')
tls.DEFAULT_ECDH_CURVE = 'auto'
somewhere, for example in server.js (your file).
This will only affect the server module and not go to the client at all.
Regarding security, as far as I understood the 8.x.x release accidentally shipped a strict setting for curves (but not the most secure one), and they can't change the default until 10.x.x because of LTS/semver reasons.
In 10.x.x it is 'auto' so I doubt that's a very insecure option.

Open tty Serial USB port

I am using Sierra Aircard modem
While Configuring Dial Port/PPP port ,I am opening This port(deb/ttyUSB3) like this
struct termios tio;
memset(&tio, 0, sizeof(termios));
if ((fdDataPort = open(portName, O_RDWR | O_NOCTTY| O_SYNC | O_NONBLOCK )) != -1)
{
cfmakeraw (&tio);
printf("After OpenDataPort call");
tio.c_iflag = 0;//IGNCR;
tio.c_cflag |= CLOCAL | CREAD;
tcflush(fdDataPort, TCIOFLUSH);
tcsetattr(fdDataPort, TCSANOW, &tio);
tcflush(fdDataPort, TCIOFLUSH);
tcflush(fdDataPort, TCIOFLUSH);
cfsetispeed(&tio, B115200);
cfsetospeed(&tio, B115200);
tcsetattr(fdDataPort, TCSANOW, &tio);
printf("After tcsetattr call");
return true;
}
else
{
return false;
}
This configuration is working perfectly fine till now for connection establishment. Reconnecting etc
But I have one problem wrt this method : If i remove dongle when this operation is in progress(only few mili seconds) i am not able to detect dongle removal in my physical-device-manager(This process does device management modeswitch etc...) because msg is not received from kernel layer . also if i remove dongle also /dev/ttyUSB3 still persists (0,1,2 are released) . Kindly let me know if this is a right way to open the port or any other method is available .Appreciate your help
EDIT
Below is the ERROR log from dmesg
49.463282] 5864 slab pages
[ 49.463286] 943924 pages shared
[ 49.463291] 0 pages swap cached
[ 49.465229] FAT-fs (sda1): utf8 is not a recommended IO charset for FAT filesystems, filesystem will be case sensitive!
[ 49.511839] FAT-fs (sda1): Volume was not properly unmounted. Some data may be corrupt. Please run fsck.
[ 51.120554] usb 1-1: USB disconnect, device number 4
[ 51.153175] sierra ttyUSB0: Sierra USB modem converter now disconnected from ttyUSB0
[ 51.153546] sierra 1-1:1.0: device disconnected
[ 51.185779] sierra ttyUSB1: Sierra USB modem converter now disconnected from ttyUSB1
[ 51.186091] sierra 1-1:1.1: device disconnected
[ 51.233531] sierra ttyUSB2: Sierra USB modem converter now disconnected from ttyUSB2
[ 51.233888] sierra 1-1:1.3: device disconnected
[ 51.242018] sierra ttyUSB3: sierra_submit_rx_urbs: submit urb failed: -19
[ 51.242032] sierra ttyUSB3: sierra_submit_rx_urbs: submit urb failed: -19
[ 51.242040] sierra ttyUSB3: sierra_submit_rx_urbs: submit urb failed: -19
[ 51.242047] sierra ttyUSB3: sierra_submit_rx_urbs: submit urb failed: -19
[ 51.242054] sierra ttyUSB3: sierra_submit_rx_urbs: submit urb failed: -19
[ 51.242060] sierra ttyUSB3: sierra_submit_rx_urbs: submit urb failed: -19
[ 51.242066] sierra ttyUSB3: sierra_submit_rx_urbs: submit urb failed: -19
[ 51.242073] sierra ttyUSB3: sierra_submit_rx_urbs: submit urb failed: -19
[ 51.617553] sd 1:0:0:0: [sda] Unhandled error code
[ 51.617569] sd 1:0:0:0: [sda]
[ 51.617575] Result: hostbyte=0x07 driverbyte=0x00
[ 51.617582] sd 1:0:0:0: [sda] CDB:
[ 51.617587] cdb[0]=0x28: 28 00 00 00 0d 27 00 00 01 00
[ 51.617619] end_request: I/O error, dev sda, sector 3367
[ 51.617674] sd 1:0:0:0: [sda] Unhandled error code
[ 51.617682] sd 1:0:0:0: [sda]
[ 51.617687] Result: hostbyte=0x07 driverbyte=0x00
[ 51.617693] sd 1:0:0:0: [sda] CDB:
[ 51.617698] cdb[0]=0x28: 28 00 00 00 0d 28 00 00 01 00
I am stuck please help

Kannel: Cannot Send or receive SMS

I am trying to send and receive SMS via kannel. I have set everything, no errors but still it cannot send or receive any sms.
I am using Huawei E160 modem and Ubuntu 11 as my OS.
Here is the log file:
2012-02-25 14:25:34 [9913] [0] INFO: HTTP: Opening server at port 13000.
2012-02-25 14:25:34 [9913] [0] INFO: BOXC: 'smsbox-max-pending' not set, using default (100).
2012-02-25 14:25:34 [9913] [0] INFO: Set SMS resend frequency to 60 seconds.
2012-02-25 14:25:34 [9913] [0] INFO: SMS resend retry set to unlimited.
2012-02-25 14:25:34 [9913] [0] INFO: DLR rerouting for smsc id <(null)> disabled.
2012-02-25 14:25:34 [9913] [0] INFO: AT2[/dev/ttyUSB0]: configuration shows modemtype <huawei>
2012-02-25 14:25:34 [9913] [0] INFO: AT2[/dev/ttyUSB0]: read modem definition for <huawei-e160>
2012-02-25 14:25:34 [9913] [6] INFO: AT2[/dev/ttyUSB0]: opening device
2012-02-25 14:25:34 [9913] [0] INFO: Adding interface *
2012-02-25 14:25:34 [9913] [0] INFO: ----------------------------------------
2012-02-25 14:25:34 [9913] [0] INFO: Kannel bearerbox II version 1.4.3 starting
2012-02-25 14:25:34 [9913] [0] INFO: MAIN: Start-up done, entering mainloop
2012-02-25 14:25:34 [9913] [6] INFO: AT2[/dev/ttyUSB0]: Logging in
2012-02-25 14:25:34 [9913] [6] INFO: AT2[/dev/ttyUSB0]: init device
2012-02-25 14:25:34 [9913] [6] INFO: AT2[/dev/ttyUSB0]: speed set to 115200
2012-02-25 14:25:35 [9913] [6] INFO: AT2[/dev/ttyUSB0]: AT SMSC successfully opened.
2012-02-25 14:26:28 [9913] [13] INFO: Client connected from <127.0.0.1>
My kannel.conf file
group = core
admin-port = 13000
admin-password = 123
status-password = 123
smsbox-port = 13003
wapbox-port = 13004
log-file = "/home/eclipse/kannel_core.log"
log-level = 1
wdp-interface-name = "*"
#group = smsc
#smsc = fake
#port = 1000
group = smsbox
bearerbox-host = 127.0.0.1
sendsms-port = 13013
log-file = "/home/eclipse/kannel_smsbox.log"
log-level = 1
group = smsc
smsc = at
modemtype = huawei
device = /dev/ttyUSB0
speed=115200
log-level = 0
pin = 1442
group = modems
id = huawei
name = "huawei-e160"
detect-string = "huawei"
init-string = "ATQ0 V1 E1 S0=0 &C1 &D2 +FCLASS=0"
speed = 115200
group = wapbox
bearerbox-host = 127.0.0.1
log-file = "/home/eclipse/kannel_wapbox.log"
group = sendsms-user
username = 123
password = 123
user-allow-ip = "127.0.0.1"
group = sms-service
keyword = default
get-url = "http://localhost/kannel/receivesms.php?sender=%p&text=%b"
accept-x-kannel-headers = true
max-messages = 3
concatenation = true
catch-all = true
My receivesms.php file is coded as
<?php
define("DBHOST","localhost",true);
define("DBUSERNAME","root",true);
define("DBPASSWORD","xxxxxx",true);
define("DBNAME","kannel_sms",true);
function insertSms($sender,$text)
{
$con = 'mysql:dbname='.DBNAME.';host='.DBHOST;
try {
$cmd = new PDO($con,DBUSERNAME,DBPASSWORD);
$stmt = $cmd->prepare("INSERT INTO kannel_tuto (number,message) VALUES (:sender,:message)");
$stmt->bindParam(':sender',$sender);
$stmt->bindParam(':message',$text);
$stmt->execute();
$cmd = null;
if($stmt->rowCount()>0)
{
echo "Hello ".$text.". Thank you for your registration.";
}
else
{
echo "Sorry an error has occured";
}
}
catch (PDOException $e) {
echo 'Connection failed: ' . $e->getMessage();
}
}
insertSms($_GET['sender'],$_GET['text']);
?>

As I indicated above, my script and configurations are correct. I just figured out that the E160 modem is not good for sms and kannel. There is loss of signals, I don't know why though. I used E173 and E220 huawei modems and they work well.