Questions about using Elliptic Curve ciphers in OpenSSL

Jason Schultz jetson23 at
Tue Feb 11 17:49:13 UTC 2020


Thanks for your reply. At this point I'm 99% sure I have ECDH with RSA working. My question in the previous post was just to confirm. But I have my RSA cert and key pair, and a client can successfully connect to my server using ECDHE_RSA* ciphers.

My questions are more related to ECDSA. For example, you said "just load your ECDSA cert", which is easy enough. My question is, is that all I need? For example, with DSA (which we don't really use anymore), I also needed a DH parameters file, which I read in with PEM_read_DHparams(). Do I need to do something similar with "EC params" or "ECDSA params"? I've seen references to both, and I'm not sure if and when I need them.

As I pointed out, it looks like there are "EC PARAMETERS" in my private key file. Are these needed? If so, how and when do I use them? Or do I need them in a separate file?

From: Salz, Rich <rsalz at>
Sent: Tuesday, February 11, 2020 4:37 PM
To: Jason Schultz <jetson23 at>; openssl-users at <openssl-users at>
Subject: Re: Questions about using Elliptic Curve ciphers in OpenSSL

The first thing I would suggest is to separate ECDH, the session key exchange, from ECDSA, the signature.  Try to make ECDH with RSA work.  Then just load your ECDSA cert; you can load one cert of each type (RSA DSA) and the runtime will figure out what to do, depending on what the client offers.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list