Changed RSA certs for ECC and modified NGINX config, will this revert?

2023-01-26 22:19:24.097Z

I installed our first Tinypilot today and added our custom SSL certs. When trying to connect to NGINX we realized there was a public-key signature algorithm mismatch so the client/server couldn't agree on a cipher and the SSL handshake failed. It was pretty easy to work around (solution below).

Since we have to add tinypilot_manage_tls_keys: no to /home/tinypilot/settings.yml so the certs don't get overwritten, is there also a setting to make sure the cipher I added to /etc/nginx/sites-enabled/tinypilot.conf doesn't get overwritten by an update?

Solution for ECC Certs

Using openssl to show the handshake failure.

openssl s_client -connect 100.92.89.45:443 -servername tinypilot1.kvm.lab                                                                 [63/513]
CONNECTED(00000003)                                                              
80BB531B1C7F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1584:SSL alert number 40
---                                                                              
no peer certificate available                                                    
---                                                                              
No client certificate CA names sent                                              
---                                                                              
SSL handshake has read 7 bytes and written 320 bytes                             
Verification: OK                                                                 
---                                                                              
New, (NONE), Cipher is (NONE)                                                    
Secure Renegotiation IS NOT supported                                                                                                                              
Compression: NONE                                                                
Expansion: NONE                                                                  
No ALPN negotiated                                                               
Early data was not sent   
Verify return code: 0 (ok)                                                       
---

The difference is just the builtin tinypilot certificate uses RSA and we're using ECC.

openssl x509 -in  /etc/ssl/certs/tinypilot-nginx.crt -noout -text | grep Algo | head -1
        Signature Algorithm: ecdsa-with-SHA256
openssl x509 -in  /etc/ssl/certs/ORIGINAL-tinypilot-nginx.crt -noout -text | grep Algo | head -1
        Signature Algorithm: sha256WithRSAEncryption

We just added the ECDHE-ECDSA-AES256-GCM-SHA384 to the ssl_ciphers in /etc/nginx/sites-enabled/tinypilot.conf.

Reply

2 replies

C
Charles Hague @cghague
TinyPilot Staff
2023-01-27 12:37:31.543Z
Hi Matthew, thanks for reaching out with your question about SSL.

The file /etc/nginx/sites-enabled/tinypilot.conf does get overwritten during TinyPilot updates. However, we've just updated our configuration so that that cipher suite will be automatically added in the next release. In other words, the update will overwrite your changes but the end result should be that the configuration is still what you require.

I hope this is helpful, please let me know if you have any questions.
Reply
1. S Mathew @s5labs
  2023-01-27 15:01:05.775Z
  That's awesome! Thank you.
  Reply

ReplyAdd progress note