relayd and EC tls - key size 832 is not supported

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

relayd and EC tls - key size 832 is not supported

Chris Narkiewicz
Hi,

I'm configuring relayd to run grafana vhost (grafana does not
support FastCGI).

My relayd.conf is:

http protocol "www" {
        match request header "Host" value "grafana.mydomain.net" forward to <lo>
        tls keypair grafana.mydomain.net
}

relay "www" {
        listen on wg0 port 443 tls
        protocol www
        forward to <lo> port 3000
}
# end if relayd.conf

TLS certificate has been generated using easyrsa, and it uses EC algo
with secp384r1 curve.

When I start relayd, it complains about unsupported key size:

ca_engine_init: using RSA privsep engine
...
ssl_ctx_fake_private_key: key size 832 not support


When I use RSA certificate generated using Let's Encrypt, it works.
Does it support EC? Am I doing something wrong?


Full relayd output in verbose mode:

grafana# relayd -dvv
startup
pfe: filter init done
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
socket_rlimit: max open files 1024
relay_load_certfiles: using certificate /etc/ssl/grafana.mydomain.net.crt
relay_load_certfiles: using private key /etc/ssl/private/grafana.mydomain.net.key
parent_tls_ticket_rekey: rekeying tickets
relay_privinit: adding relay www
protocol 1: name www
        flags: used, relay flags: tls
        tls flags: tlsv1.2, tlsv1.3, cipher-server-preference
        tls session tickets: disabled
        type: http
                match request header "Host" value "grafana.mydomain.net" forward to <lo>
socket_rlimit: max open files 1024
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
ca_engine_init: using RSA privsep engine
relay_tls_ctx_create: loading certificate
ssl_ctx_fake_private_key: key size 832 not support

Cheers,
Chris

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: relayd and EC tls - key size 832 is not supported

Stuart Henderson
On 2021-04-06, Chris Narkiewicz <[hidden email]> wrote:
> TLS certificate has been generated using easyrsa, and it uses EC algo
> with secp384r1 curve.
>
> When I start relayd, it complains about unsupported key size:
>
> ca_engine_init: using RSA privsep engine
> ...
> ssl_ctx_fake_private_key: key size 832 not support

Since there is an "RSA privsep engune" and no "ECDSA privsep engine" I guess
this is not supported.

You can do this easily with nginx or I think also haproxy.