Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 63636 invoked from network); 9 Apr 2007 16:47:25 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 9 Apr 2007 16:47:25 -0000 Received: (qmail 49803 invoked by uid 500); 9 Apr 2007 16:47:21 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 48992 invoked by uid 500); 9 Apr 2007 16:47:19 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 48981 invoked by uid 99); 9 Apr 2007 16:47:19 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Apr 2007 09:47:19 -0700 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [207.106.84.159] (HELO atlas.jtan.com) (207.106.84.159) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Apr 2007 09:47:11 -0700 X-JTAN-Outgoing-From: sctemme@apache.org X-JTAN-Outgoing-To: X-JTAN-Received: c-24-5-23-94.hsd1.ca.comcast.net [24.5.23.94] X-JTAN-Recipient: X-JTAN-AntiSPAM: not spam, Outgoing not scanned X-JTAN-AntiVirus: Found to be clean, Outgoing not scanned Received: from [10.11.0.103] (c-24-5-23-94.hsd1.ca.comcast.net [24.5.23.94]) (authenticated bits=0) by atlas.jtan.com (8.12.8p1/8.12.8) with ESMTP id l39Gkmt5017177 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT) for ; Mon, 9 Apr 2007 12:46:49 -0400 (EDT) In-Reply-To: References: Mime-Version: 1.0 (Apple Message framework v752.2) X-Priority: 3 (Normal) Content-Type: multipart/signed; micalg=sha1; boundary=Apple-Mail-66-261511715; protocol="application/pkcs7-signature" Message-Id: <878479A8-00DD-434E-9C4C-6CBB03E34447@apache.org> From: Sander Temme Date: Mon, 9 Apr 2007 09:46:46 -0700 To: users@httpd.apache.org X-Mailer: Apple Mail (2.752.2) X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] ECDSA Certificate use in mod_ssl --Apple-Mail-66-261511715 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed On Apr 8, 2007, at 7:47 PM, Takurou Saitou wrote: > $ ./openssl ciphers -v ECDHE-ECDSA-AES256-SHA > ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) > Mac=SHA1 > ---------------------------------------------------------------------- > -------------------- > -------------- > > A version of OpenSSL using is 0.9.8e. See, that's strange. Without a thorough look at the actual code, I don't know which call we make to get the list of CipherSuites from OpenSSL. However, I wouldn't be surprised if we (Apache) would not pick up a cipher that was not in the list. If this is the case, the fact that your cipher is not in the list is a bug in OpenSSL and should be brought to their attention. >> >>> The following error occurred when I was going to use a certificate >>> of ECDSA in mod_ssl of Apache2.2.4 for trial. >> >> What is the value of your SSLCipherSuite directive in your >> configuration file? > > I appoint 'ECDHE-ECDSA-AES256-SHA' in 'SSLCipherSuite' directive > experimentally. > > The error that I showed by a previous email is given right after I > execute 'httpd -k > start'. > Therefore I think that it is a previous problem with CipherSuite of > ECDSA. Could you make sure that your Apache is linked against a library that supports the cipher, for instance on unix systems you could run ldd /path/to/your/apache/bin/httpd and look at the entries for libcrypto.so.(...) and libssl.so.(...), and make sure they resolve to the right OpenSSL installation if you have more than one on your machine. How did you generate this certificate? If you could paste me the command sequence you used to generate the key and certificate, I can do some experimentation and see if I can reproduce your issue. Also, are you able to print the certificate using openssl x509 -in yourcert.file -noout -text ? S. -- sctemme@apache.org http://www.temme.net/sander/ PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF --Apple-Mail-66-261511715 Content-Transfer-Encoding: base64 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGPDCCAvUw ggJeoAMCAQICEAIyF6zjtP6rQ//mXTcll14wDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkEx JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDYxODE3MDYyMFoXDTA3MDYxODE3MDYy MFowWzEOMAwGA1UEBBMFVGVtbWUxDzANBgNVBCoTBlNhbmRlcjEVMBMGA1UEAxMMU2FuZGVyIFRl bW1lMSEwHwYJKoZIhvcNAQkBFhJzY3RlbW1lQGFwYWNoZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUA A4IBDwAwggEKAoIBAQDJaqOD1gZ1Z4GW7jzLg192RRTnScJOrHlsHu0z4/BjTf+Zq4ziF8p0RZlJ vi8V8Dx4Xwl7osFrI081IuoZQnvbLZXIYsjPTFvg/yjEpp02QLTDpSAKxBniauQGIJPgEutDmb2u 7EAm9nHPKyeJ33PbmDYKQzjujnLW1Qx77GnyocKTqrZCcpaOCH08Vn7DZnYP8oAG9Zmgw8n4oLmw U0m5Sacj3EulCRTFS4acejaC7ZkNIXzS7CFrDukgxn6U99Xf2xoVrk9hXmCH62h1i4ItgWmFV1BS vsrgG/V1q+8SAjZrnMNXHsER4EEKp+hDBBFy2j6HABaGGUuS0gs4BqqrAgMBAAGjLzAtMB0GA1Ud EQQWMBSBEnNjdGVtbWVAYXBhY2hlLm9yZzAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GB AE5+/Xn03o51+851PNo/ydkgPd1QHu3d5PHTWeRUpRNbfEJgAcLFzyTAa+keWtK+xv1xB4SCUHKT FZxaxoySE78f/ldmfUqdgJNZjDP076aEpUPsfNQ8iD/eao6pehlYw6RNeejt+XWfkQlhPdkIZwUH L1ozjjzTVzSsSEPzakOVMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TELMAkGA1UE BhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3duMRowGAYDVQQK ExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZp c2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENBMSswKQYJKoZIhvcNAQkB FhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIz NTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0 ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqG SIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph 8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4H v0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQI MAYBAf8CAQAwQwYDVR0fBDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBl cnNvbmFsRnJlZW1haWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQD ExFQcml2YXRlTGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+ whehQ5aUnX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FX JY3dqZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAxAw ggMMAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkp IEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhACMhes 47T+q0P/5l03JZdeMAkGBSsOAwIaBQCgggFvMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJ KoZIhvcNAQkFMQ8XDTA3MDQwOTE2NDY0N1owIwYJKoZIhvcNAQkEMRYEFCQ2EgUfEY8rIcZqvwch 6DVzRuEiMIGFBgkrBgEEAYI3EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUg Q29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwg SXNzdWluZyBDQQIQAjIXrOO0/qtD/+ZdNyWXXjCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJBgNV BAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQAjIXrOO0/qtD/+ZdNyWXXjANBgkq hkiG9w0BAQEFAASCAQCOIWBiDnLK/TsIiN10secp2YjQ8aw8/e4Vha2+9zcfw6/9l811Yqvj3J39 +tHnEtIx5EMjdWDaYC0lmh3OGm41IwkCkQCQT7hIMB4pTRPUDX/4RJN8tKoUj1M2l7nzN4/c79nQ 9SSo6hSCbIEMgloI0Bmq/M7yDWBkXKQlxSoHPYNjvzJl6VqvQkDOzJmI8FFfdEh29KfuSwk/pmdJ S3buV9Fh4alYvlQw3giO7t0NyAypTWe9FtDjJkndCULymOibAGHpPQs4Rvaz/9In0b1UKXPxJEBB C4Y6Hh2eGYRbP/r0I6QYf169TnccBaIX8T1NOcshwT46qzsdHUtaF5pqAAAAAAAA --Apple-Mail-66-261511715--