No internet connection
  1. Home
  2. Technical Support

Changed RSA certs for ECC and modified NGINX config, will this revert?

By Mathew @s5labs
    2023-01-26 22:19:24.097Z

    I installed our first Tinypilot today and added our custom SSL certs. When trying to connect to NGINX we realized there was a public-key signature algorithm mismatch so the client/server couldn't agree on a cipher and the SSL handshake failed. It was pretty easy to work around (solution below).

    Since we have to add tinypilot_manage_tls_keys: no to /home/tinypilot/settings.yml so the certs don't get overwritten, is there also a setting to make sure the cipher I added to /etc/nginx/sites-enabled/tinypilot.conf doesn't get overwritten by an update?

    Solution for ECC Certs

    Using openssl to show the handshake failure.

    openssl s_client -connect 100.92.89.45:443 -servername tinypilot1.kvm.lab                                                                 [63/513]
    CONNECTED(00000003)                                                              
    80BB531B1C7F0000:error:0A000410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1584:SSL alert number 40
    ---                                                                              
    no peer certificate available                                                    
    ---                                                                              
    No client certificate CA names sent                                              
    ---                                                                              
    SSL handshake has read 7 bytes and written 320 bytes                             
    Verification: OK                                                                 
    ---                                                                              
    New, (NONE), Cipher is (NONE)                                                    
    Secure Renegotiation IS NOT supported                                                                                                                              
    Compression: NONE                                                                
    Expansion: NONE                                                                  
    No ALPN negotiated                                                               
    Early data was not sent   
    Verify return code: 0 (ok)                                                       
    ---                  
    

    The difference is just the builtin tinypilot certificate uses RSA and we're using ECC.

    openssl x509 -in  /etc/ssl/certs/tinypilot-nginx.crt -noout -text | grep Algo | head -1
            Signature Algorithm: ecdsa-with-SHA256
    openssl x509 -in  /etc/ssl/certs/ORIGINAL-tinypilot-nginx.crt -noout -text | grep Algo | head -1
            Signature Algorithm: sha256WithRSAEncryption
    

    We just added the ECDHE-ECDSA-AES256-GCM-SHA384 to the ssl_ciphers in /etc/nginx/sites-enabled/tinypilot.conf.

    • 2 replies
    1. C

      Hi Matthew, thanks for reaching out with your question about SSL.

      The file /etc/nginx/sites-enabled/tinypilot.conf does get overwritten during TinyPilot updates. However, we've just updated our configuration so that that cipher suite will be automatically added in the next release. In other words, the update will overwrite your changes but the end result should be that the configuration is still what you require.

      I hope this is helpful, please let me know if you have any questions.

      1. SMathew @s5labs
          2023-01-27 15:01:05.775Z

          That's awesome! Thank you.