httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Takurou Saitou" <saito.tak...@cij.co.jp>
Subject RE: [users@httpd] ECDSA Certificate use in mod_ssl
Date Tue, 10 Apr 2007 11:04:46 GMT
> -----Original Message-----
> From: Sander Temme [mailto:sctemme@apache.org]
> 
> On Apr 8, 2007, at 7:47 PM, Takurou Saitou wrote:
> 
> > $ ./openssl ciphers -v ECDHE-ECDSA-AES256-SHA
> > ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)   
> > Mac=SHA1
> > ---------------------------------------------------------------------- 
> > --------------------
> > --------------
> >
> > A version of OpenSSL using is 0.9.8e.
> 
> See, that's strange.  Without a thorough look at the actual code, I  
> don't know which call we make to get the list of CipherSuites from  
> OpenSSL.  However, I wouldn't be surprised if we (Apache) would not  
> pick up a cipher that was not in the list.
> 
> If this is the case, the fact that your cipher is not in the list is  
> a bug in OpenSSL and should be brought to their attention.
> 
> >>
> >>> The following error occurred when I was going to use a certificate
> >>> of ECDSA in mod_ssl of Apache2.2.4 for trial.
> >>
> >> What is the value of your SSLCipherSuite directive in your
> >> configuration file?
> >
> > I appoint 'ECDHE-ECDSA-AES256-SHA' in 'SSLCipherSuite' directive
> > experimentally.
> >
> > The error that I showed by a previous email is given right after I  
> > execute 'httpd -k
> > start'.
> > Therefore I think that it is a previous problem with CipherSuite of  
> > ECDSA.
> 
> Could you make sure that your Apache is linked against a library that  
> supports the cipher, for instance on unix systems you could run
> 
> ldd /path/to/your/apache/bin/httpd
> 
> and look at the entries for libcrypto.so.(...) and libssl.so.(...),  
> and make sure they resolve to the right OpenSSL installation if you  
> have more than one on your machine.

'httpd' is linked with a library of OpenSSL0.9.8e normally when I executed 'ldd'.

> 
> How did you generate this certificate? If you could paste me the  
> command sequence you used to generate the key and certificate, I can  
> do some experimentation and see if I can reproduce your issue.
> 
> Also, are you able to print the certificate using
> 
> openssl x509 -in yourcert.file -noout -text

I show below information of a certificate. 
※ I omit information of DN.

---------------------------------------------
$ ./openssl x509 -in ecdsa_cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d9:7e:b1:ac:ca:db:78:b6
        Signature Algorithm: sha1WithRSAEncryption

(Omission)

        Validity
            Not Before: Mar 28 01:23:17 2007 GMT
            Not After : Mar 27 01:23:17 2008 GMT

(Omission)

        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
            EC Public Key:
                pub:
                    04:48:8b:b5:bd:28:c3:be:02:d2:fe:e3:6a:41:93:
                    5f:ce:62:6f:09:50:65:07:cc:b4:75:98:06:4c:4c:
                    9c:40:4f:d6:46:46:2a:d6:ad:06:88:46:6e:0a:84:
                    71:85:fd:b2
                ASN1 OID: prime192v1
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                32:49:F5:96:57:24:35:51:23:E4:97:0B:C5:15:08:AB:B7:9A:A8:8D
            X509v3 Authority Key Identifier:
                keyid:0C:A4:37:29:F1:2D:B7:15:05:18:2F:B3:42:56:75:EC:0F:50:AB:76

(Omission)

                serial:D9:7E:B1:AC:CA:DB:78:B5

            X509v3 Basic Constraints:
                CA:TRUE
    Signature Algorithm: sha1WithRSAEncryption
        5d:d2:df:87:85:a9:1e:3d:69:57:62:f3:01:74:23:26:2a:08:
        a3:f6:24:f5:7f:6e:ed:48:d2:d4:71:d3:cf:5b:99:8e:e6:88:
        d6:90:cd:53:cf:2b:4a:4b:3b:ff:57:61:69:aa:7c:cb:cf:22:
        c9:1d:fa:4f:3d:3e:c2:63:e0:e9:b6:c9:c1:36:3f:92:e2:62:
        5e:82:ea:aa:e6:75:bf:24:de:86:89:b9:5b:ea:5d:d9:ab:4c:
        77:80:df:b1:39:85:12:f2:0f:ac:5b:0e:cc:b3:09:c3:ef:60:
        3b:a2:1d:0a:fc:ff:13:71:1e:ce:f5:42:4e:d1:3f:2d:b1:c4:
        c9:f0

---------------------------------------------

In addition, when I set RSA private key in 'SSLCertificateKeyFile' , 
and I set an RSA certificate file in 'SSLCertificateFile', 'httpd' is 
started normally.
Perhaps it is thought whether it is a problem of reading of a certificate of 
ECDSA in mod_ssl.

Thanks,

Takurou Saitou



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message