Re: CSCvn57284 - Unsupported EC curve x25519 on FTD

bcoverstone · ‎11-04-2021

It appears this bug still happens on both 7.0.0.1 and 7.0.1 for some websites.

Here is an example: https://www.northerncareers.ca

bcoverstone · ‎11-04-2021

It appears this site may be TLS 1.3 only. Is there a way to disable resign for TLS 1.3 sites until FTD supports this?

<edit>

After watching the back and forth, the server does downgrade to TLS 1.2 without an issue, but then the client sends an "Alert Fatal Decrypt Error"

bcoverstone · ‎11-04-2021

After sifting through a lot of ssl logs, I finally stumbled across this.

Looks like there is a bug and it cannot generate the resigning certificate.

21/11/05 02:37:27.802 [23709:3971]xtls_base_processor.h:update_handshake_digest:192: [DEBUG]: 192.168.10.120 56389 -- 169.53.177.117 443 [SERVER_CERTIFICATE_PROCESSOR] S:s->c update handshake digest[original] length[4244]
21/11/05 02:37:27.802 [23709:3971]xtls_crypto.cc:update_handshake_digest:33: [TRACE]: 192.168.10.120 56389 -- 169.53.177.117 443 S:s->c Updating handshake digest with 4244 bytes
21/11/05 02:37:27.802 [23709:3971]xtls_certificate_processor.cc:process_decrypt_resign:263: [ERROR]: 192.168.10.120 56389 -- 169.53.177.117 443 failed to create resigned certificate
21/11/05 02:37:27.802 [23709:3971]xtls_certificate_processor.cc:process:86: [ERROR]: 192.168.10.120 56389 -- 169.53.177.117 443 failed to process certificate
21/11/05 02:37:27.802 [23709:3971]xtls_flow.cc:process_common_errors:432: [ERROR]: 192.168.10.120 56389 -- 169.53.177.117 443 F:s->c processing error [handshake_error] code [module [PKI_STORE] code [ENOENT] subcode [5]] verdict[DoNotDecrypt]