You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Takurou Saitou <sa...@cij.co.jp> on 2007/04/06 09:59:04 UTC
[users@httpd] ECDSA Certificate use in mod_ssl
Hi,
The use of CipherSuite of ECDSA is already enabled in OpenSSL,
but will there be a plan to support in the future in mod_ssl?
The following error occurred when I was going to use a certificate
of ECDSA in mod_ssl of Apache2.2.4 for trial.
(Error Log)
-----------------------------------------------------------------------------------
[Wed Mar 28 11:11:15 2007] [error] Oops, no RSA or DSA server certificate found for
'127.0.0.1:443'?!
-----------------------------------------------------------------------------------
Therefore I am in condition not to be able to use the HTTPS communication that used
CipherSuite of ECDSA.
Thanks.
Takurou Saitou
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] ECDSA Certificate use in mod_ssl
Posted by Takurou Saitou <sa...@cij.co.jp>.
> -----Original Message-----
> From: Sander Temme [mailto:sctemme@apache.org]
>
> On Apr 8, 2007, at 7:47 PM, Takurou Saitou wrote:
>
> > $ ./openssl ciphers -v ECDHE-ECDSA-AES256-SHA
> > ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256)
> > Mac=SHA1
> > ----------------------------------------------------------------------
> > --------------------
> > --------------
> >
> > A version of OpenSSL using is 0.9.8e.
>
> See, that's strange. Without a thorough look at the actual code, I
> don't know which call we make to get the list of CipherSuites from
> OpenSSL. However, I wouldn't be surprised if we (Apache) would not
> pick up a cipher that was not in the list.
>
> If this is the case, the fact that your cipher is not in the list is
> a bug in OpenSSL and should be brought to their attention.
>
> >>
> >>> The following error occurred when I was going to use a certificate
> >>> of ECDSA in mod_ssl of Apache2.2.4 for trial.
> >>
> >> What is the value of your SSLCipherSuite directive in your
> >> configuration file?
> >
> > I appoint 'ECDHE-ECDSA-AES256-SHA' in 'SSLCipherSuite' directive
> > experimentally.
> >
> > The error that I showed by a previous email is given right after I
> > execute 'httpd -k
> > start'.
> > Therefore I think that it is a previous problem with CipherSuite of
> > ECDSA.
>
> Could you make sure that your Apache is linked against a library that
> supports the cipher, for instance on unix systems you could run
>
> ldd /path/to/your/apache/bin/httpd
>
> and look at the entries for libcrypto.so.(...) and libssl.so.(...),
> and make sure they resolve to the right OpenSSL installation if you
> have more than one on your machine.
'httpd' is linked with a library of OpenSSL0.9.8e normally when I executed 'ldd'.
>
> How did you generate this certificate? If you could paste me the
> command sequence you used to generate the key and certificate, I can
> do some experimentation and see if I can reproduce your issue.
>
> Also, are you able to print the certificate using
>
> openssl x509 -in yourcert.file -noout -text
I show below information of a certificate.
※ I omit information of DN.
---------------------------------------------
$ ./openssl x509 -in ecdsa_cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d9:7e:b1:ac:ca:db:78:b6
Signature Algorithm: sha1WithRSAEncryption
(Omission)
Validity
Not Before: Mar 28 01:23:17 2007 GMT
Not After : Mar 27 01:23:17 2008 GMT
(Omission)
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:48:8b:b5:bd:28:c3:be:02:d2:fe:e3:6a:41:93:
5f:ce:62:6f:09:50:65:07:cc:b4:75:98:06:4c:4c:
9c:40:4f:d6:46:46:2a:d6:ad:06:88:46:6e:0a:84:
71:85:fd:b2
ASN1 OID: prime192v1
X509v3 extensions:
X509v3 Subject Key Identifier:
32:49:F5:96:57:24:35:51:23:E4:97:0B:C5:15:08:AB:B7:9A:A8:8D
X509v3 Authority Key Identifier:
keyid:0C:A4:37:29:F1:2D:B7:15:05:18:2F:B3:42:56:75:EC:0F:50:AB:76
(Omission)
serial:D9:7E:B1:AC:CA:DB:78:B5
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
5d:d2:df:87:85:a9:1e:3d:69:57:62:f3:01:74:23:26:2a:08:
a3:f6:24:f5:7f:6e:ed:48:d2:d4:71:d3:cf:5b:99:8e:e6:88:
d6:90:cd:53:cf:2b:4a:4b:3b:ff:57:61:69:aa:7c:cb:cf:22:
c9:1d:fa:4f:3d:3e:c2:63:e0:e9:b6:c9:c1:36:3f:92:e2:62:
5e:82:ea:aa:e6:75:bf:24:de:86:89:b9:5b:ea:5d:d9:ab:4c:
77:80:df:b1:39:85:12:f2:0f:ac:5b:0e:cc:b3:09:c3:ef:60:
3b:a2:1d:0a:fc:ff:13:71:1e:ce:f5:42:4e:d1:3f:2d:b1:c4:
c9:f0
---------------------------------------------
In addition, when I set RSA private key in 'SSLCertificateKeyFile' ,
and I set an RSA certificate file in 'SSLCertificateFile', 'httpd' is
started normally.
Perhaps it is thought whether it is a problem of reading of a certificate of
ECDSA in mod_ssl.
Thanks,
Takurou Saitou
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ECDSA Certificate use in mod_ssl
Posted by Sander Temme <sc...@apache.org>.
On Apr 8, 2007, at 7:47 PM, Takurou Saitou wrote:
> $ ./openssl ciphers -v ECDHE-ECDSA-AES256-SHA
> ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256)
> Mac=SHA1
> ----------------------------------------------------------------------
> --------------------
> --------------
>
> A version of OpenSSL using is 0.9.8e.
See, that's strange. Without a thorough look at the actual code, I
don't know which call we make to get the list of CipherSuites from
OpenSSL. However, I wouldn't be surprised if we (Apache) would not
pick up a cipher that was not in the list.
If this is the case, the fact that your cipher is not in the list is
a bug in OpenSSL and should be brought to their attention.
>>
>>> The following error occurred when I was going to use a certificate
>>> of ECDSA in mod_ssl of Apache2.2.4 for trial.
>>
>> What is the value of your SSLCipherSuite directive in your
>> configuration file?
>
> I appoint 'ECDHE-ECDSA-AES256-SHA' in 'SSLCipherSuite' directive
> experimentally.
>
> The error that I showed by a previous email is given right after I
> execute 'httpd -k
> start'.
> Therefore I think that it is a previous problem with CipherSuite of
> ECDSA.
Could you make sure that your Apache is linked against a library that
supports the cipher, for instance on unix systems you could run
ldd /path/to/your/apache/bin/httpd
and look at the entries for libcrypto.so.(...) and libssl.so.(...),
and make sure they resolve to the right OpenSSL installation if you
have more than one on your machine.
How did you generate this certificate? If you could paste me the
command sequence you used to generate the key and certificate, I can
do some experimentation and see if I can reproduce your issue.
Also, are you able to print the certificate using
openssl x509 -in yourcert.file -noout -text
?
S.
--
sctemme@apache.org http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
RE: [users@httpd] ECDSA Certificate use in mod_ssl
Posted by Takurou Saitou <sa...@cij.co.jp>.
Hi,
Thank you for your reply Sander Temme
> -----Original Message-----
> From: Sander Temme [mailto:sctemme@apache.org]
>
> Takurou,
>
> On Apr 6, 2007, at 12:59 AM, Takurou Saitou wrote:
>
> > The use of CipherSuite of ECDSA is already enabled in OpenSSL,
> > but will there be a plan to support in the future in mod_ssl?
>
> Just to make sure that we are talking about the same thing, how does
> this cipher show up when you run 'openssl ciphers'? What version of
> openssl is in use?
When I execute 'openssl cipher', CipherSuite of ECDSA is not displayed.
But it is displayed when I appointed CipherSuite of ECDSA directly.
------------------------------------------------------------------------------------------
--------------
$ ./openssl ciphers -v
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
$ ./openssl ciphers -v ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
------------------------------------------------------------------------------------------
--------------
A version of OpenSSL using is 0.9.8e.
>
> > The following error occurred when I was going to use a certificate
> > of ECDSA in mod_ssl of Apache2.2.4 for trial.
>
> What is the value of your SSLCipherSuite directive in your
> configuration file?
I appoint 'ECDHE-ECDSA-AES256-SHA' in 'SSLCipherSuite' directive
experimentally.
The error that I showed by a previous email is given right after I execute 'httpd -k
start'.
Therefore I think that it is a previous problem with CipherSuite of ECDSA.
Thanks,
Takurou Saitou
>
> Thanks,
>
> S.
>
> --
> sctemme@apache.org http://www.temme.net/sander/
> Open Source Software Consultant
> PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
>
> ApacheCon 2007 Europe, May 1-4 in Amsterdam
> http://www.eu.apachecon.com/
>
>
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] ECDSA Certificate use in mod_ssl
Posted by Sander Temme <sc...@apache.org>.
Takurou,
On Apr 6, 2007, at 12:59 AM, Takurou Saitou wrote:
> The use of CipherSuite of ECDSA is already enabled in OpenSSL,
> but will there be a plan to support in the future in mod_ssl?
Just to make sure that we are talking about the same thing, how does
this cipher show up when you run 'openssl ciphers'? What version of
openssl is in use?
> The following error occurred when I was going to use a certificate
> of ECDSA in mod_ssl of Apache2.2.4 for trial.
What is the value of your SSLCipherSuite directive in your
configuration file?
Thanks,
S.
--
sctemme@apache.org http://www.temme.net/sander/
Open Source Software Consultant
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF
ApacheCon 2007 Europe, May 1-4 in Amsterdam
http://www.eu.apachecon.com/