Questions about using Elliptic Curve ciphers in OpenSSL
Jason Schultz
jetson23 at hotmail.com
Tue Feb 11 17:49:13 UTC 2020
Rich-
Thanks for your reply. At this point I'm 99% sure I have ECDH with RSA working. My question in the previous post was just to confirm. But I have my RSA cert and key pair, and a client can successfully connect to my server using ECDHE_RSA* ciphers.
My questions are more related to ECDSA. For example, you said "just load your ECDSA cert", which is easy enough. My question is, is that all I need? For example, with DSA (which we don't really use anymore), I also needed a DH parameters file, which I read in with PEM_read_DHparams(). Do I need to do something similar with "EC params" or "ECDSA params"? I've seen references to both, and I'm not sure if and when I need them.
As I pointed out, it looks like there are "EC PARAMETERS" in my private key file. Are these needed? If so, how and when do I use them? Or do I need them in a separate file?
________________________________
From: Salz, Rich <rsalz at akamai.com>
Sent: Tuesday, February 11, 2020 4:37 PM
To: Jason Schultz <jetson23 at hotmail.com>; openssl-users at openssl.org <openssl-users at openssl.org>
Subject: Re: Questions about using Elliptic Curve ciphers in OpenSSL
The first thing I would suggest is to separate ECDH, the session key exchange, from ECDSA, the signature. Try to make ECDH with RSA work. Then just load your ECDSA cert; you can load one cert of each type (RSA DSA) and the runtime will figure out what to do, depending on what the client offers.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200211/1cb043f3/attachment.html>
More information about the openssl-users
mailing list