httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sander Temme <scte...@apache.org>
Subject Re: [users@httpd] ECDSA Certificate use in mod_ssl
Date Mon, 09 Apr 2007 16:46:46 GMT

On Apr 8, 2007, at 7:47 PM, Takurou Saitou wrote:

> $ ./openssl ciphers -v ECDHE-ECDSA-AES256-SHA
> ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)   
> Mac=SHA1
> ---------------------------------------------------------------------- 
> --------------------
> --------------
>
> A version of OpenSSL using is 0.9.8e.

See, that's strange.  Without a thorough look at the actual code, I  
don't know which call we make to get the list of CipherSuites from  
OpenSSL.  However, I wouldn't be surprised if we (Apache) would not  
pick up a cipher that was not in the list.

If this is the case, the fact that your cipher is not in the list is  
a bug in OpenSSL and should be brought to their attention.

>>
>>> The following error occurred when I was going to use a certificate
>>> of ECDSA in mod_ssl of Apache2.2.4 for trial.
>>
>> What is the value of your SSLCipherSuite directive in your
>> configuration file?
>
> I appoint 'ECDHE-ECDSA-AES256-SHA' in 'SSLCipherSuite' directive
> experimentally.
>
> The error that I showed by a previous email is given right after I  
> execute 'httpd -k
> start'.
> Therefore I think that it is a previous problem with CipherSuite of  
> ECDSA.

Could you make sure that your Apache is linked against a library that  
supports the cipher, for instance on unix systems you could run

ldd /path/to/your/apache/bin/httpd

and look at the entries for libcrypto.so.(...) and libssl.so.(...),  
and make sure they resolve to the right OpenSSL installation if you  
have more than one on your machine.

How did you generate this certificate? If you could paste me the  
command sequence you used to generate the key and certificate, I can  
do some experimentation and see if I can reproduce your issue.

Also, are you able to print the certificate using

openssl x509 -in yourcert.file -noout -text

?

S.

-- 
sctemme@apache.org            http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4  B7B8 B2BE BC40 1529 24AF



Mime
View raw message