httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Takurou Saitou" <>
Subject RE: [users@httpd] ECDSA Certificate use in mod_ssl
Date Tue, 10 Apr 2007 11:04:46 GMT
> -----Original Message-----
> From: Sander Temme []
> On Apr 8, 2007, at 7:47 PM, Takurou Saitou wrote:
> > $ ./openssl ciphers -v ECDHE-ECDSA-AES256-SHA
> > ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)   
> > Mac=SHA1
> > ---------------------------------------------------------------------- 
> > --------------------
> > --------------
> >
> > A version of OpenSSL using is 0.9.8e.
> See, that's strange.  Without a thorough look at the actual code, I  
> don't know which call we make to get the list of CipherSuites from  
> OpenSSL.  However, I wouldn't be surprised if we (Apache) would not  
> pick up a cipher that was not in the list.
> If this is the case, the fact that your cipher is not in the list is  
> a bug in OpenSSL and should be brought to their attention.
> >>
> >>> The following error occurred when I was going to use a certificate
> >>> of ECDSA in mod_ssl of Apache2.2.4 for trial.
> >>
> >> What is the value of your SSLCipherSuite directive in your
> >> configuration file?
> >
> > I appoint 'ECDHE-ECDSA-AES256-SHA' in 'SSLCipherSuite' directive
> > experimentally.
> >
> > The error that I showed by a previous email is given right after I  
> > execute 'httpd -k
> > start'.
> > Therefore I think that it is a previous problem with CipherSuite of  
> > ECDSA.
> Could you make sure that your Apache is linked against a library that  
> supports the cipher, for instance on unix systems you could run
> ldd /path/to/your/apache/bin/httpd
> and look at the entries for and,  
> and make sure they resolve to the right OpenSSL installation if you  
> have more than one on your machine.

'httpd' is linked with a library of OpenSSL0.9.8e normally when I executed 'ldd'.

> How did you generate this certificate? If you could paste me the  
> command sequence you used to generate the key and certificate, I can  
> do some experimentation and see if I can reproduce your issue.
> Also, are you able to print the certificate using
> openssl x509 -in yourcert.file -noout -text

I show below information of a certificate. 
※ I omit information of DN.

$ ./openssl x509 -in ecdsa_cert.pem -noout -text
        Version: 3 (0x2)
        Serial Number:
        Signature Algorithm: sha1WithRSAEncryption


            Not Before: Mar 28 01:23:17 2007 GMT
            Not After : Mar 27 01:23:17 2008 GMT


        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
            EC Public Key:
                ASN1 OID: prime192v1
        X509v3 extensions:
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:



            X509v3 Basic Constraints:
    Signature Algorithm: sha1WithRSAEncryption


In addition, when I set RSA private key in 'SSLCertificateKeyFile' , 
and I set an RSA certificate file in 'SSLCertificateFile', 'httpd' is 
started normally.
Perhaps it is thought whether it is a problem of reading of a certificate of 
ECDSA in mod_ssl.


Takurou Saitou

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message