Re: 2.3.2.1 - EC keys suppport?

[Aki Tuomi]

On 30 July 2018 at 21:00 ѽ҉ᶬḳ℠ < v...@gmx.net> wrote:

I did some local testing and it seems that you are using a curve that is not acceptable for openssl as a server key.

I tested with openssl s_server -cert ec-cert.pem -key ec-key.pem -port 5555

using cert generated with brainpool. Everything works if I use prime256v1 or secp521r1. This is a limitation in OpenSSL and not something we can really do anything about.

Aki Tuomi

Open-Xchange Oy

Which openssl version you are using? This end it is OpenSSL 1.1.0h.

There are no issues creating private keys, issuing csr, signing certs

with that particular curve. Printing certs and verifying certs against

keys is panning out too, comparing md5 hashes also no errors. So why

would openssl not accept (limit) keys is has generated and verified with

no error?

[ openssl ecparam -list_curves ]

  secp112r1 : SECG/WTLS curve over a 112 bit prime field

  secp112r2 : SECG curve over a 112 bit prime field

  secp128r1 : SECG curve over a 128 bit prime field

  secp128r2 : SECG curve over a 128 bit prime field

  secp160k1 : SECG curve over a 160 bit prime field

  secp160r1 : SECG curve over a 160 bit prime field

  secp160r2 : SECG/WTLS curve over a 160 bit prime field

  secp192k1 : SECG curve over a 192 bit prime field

  secp224k1 : SECG curve over a 224 bit prime field

  secp224r1 : NIST/SECG curve over a 224 bit prime field

  secp256k1 : SECG curve over a 256 bit prime field

  secp384r1 : NIST/SECG curve over a 384 bit prime field

  secp521r1 : NIST/SECG curve over a 521 bit prime field

  prime192v1: NIST/X9.62/SECG curve over a 192 bit prime field

  prime192v2: X9.62 curve over a 192 bit prime field

  prime192v3: X9.62 curve over a 192 bit prime field

  prime239v1: X9.62 curve over a 239 bit prime field

  prime239v2: X9.62 curve over a 239 bit prime field

  prime239v3: X9.62 curve over a 239 bit prime field

  prime256v1: X9.62/SECG curve over a 256 bit prime field

  sect113r1 : SECG curve over a 113 bit binary field

  sect113r2 : SECG curve over a 113 bit binary field

  sect131r1 : SECG/WTLS curve over a 131 bit binary field

  sect131r2 : SECG curve over a 131 bit binary field

  sect163k1 : NIST/SECG/WTLS curve over a 163 bit binary field

  sect163r1 : SECG curve over a 163 bit binary field

  sect163r2 : NIST/SECG curve over a 163 bit binary field

  sect193r1 : SECG curve over a 193 bit binary field

  sect193r2 : SECG curve over a 193 bit binary field

  sect233k1 : NIST/SECG/WTLS curve over a 233 bit binary field

  sect233r1 : NIST/SECG/WTLS curve over a 233 bit binary field

  sect239k1 : SECG curve over a 239 bit binary field

  sect283k1 : NIST/SECG curve over a 283 bit binary field

  sect283r1 : NIST/SECG curve over a 283 bit binary field

  sect409k1 : NIST/SECG curve over a 409 bit binary field

  sect409r1 : NIST/SECG curve over a 409 bit binary field

  sect571k1 : NIST/SECG curve over a 571 bit binary field

  sect571r1 : NIST/SECG curve over a 571 bit binary field

  c2pnb163v1: X9.62 curve over a 163 bit binary field

  c2pnb163v2: X9.62 curve over a 163 bit binary field

  c2pnb163v3: X9.62 curve over a 163 bit binary field

  c2pnb176v1: X9.62 curve over a 176 bit binary field

  c2tnb191v1: X9.62 curve over a 191 bit binary field

  c2tnb191v2: X9.62 curve over a 191 bit binary field

  c2tnb191v3: X9.62 curve over a 191 bit binary field

  c2pnb208w1: X9.62 curve over a 208 bit binary field

  c2tnb239v1: X9.62 curve over a 239 bit binary field

  c2tnb239v2: X9.62 curve over a 239 bit binary field

  c2tnb239v3: X9.62 curve over a 239 bit binary field

  c2pnb272w1: X9.62 curve over a 272 bit binary field

  c2pnb304w1: X9.62 curve over a 304 bit binary field

  c2tnb359v1: X9.62 curve over a 359 bit binary field

  c2pnb368w1: X9.62 curve over a 368 bit binary field

  c2tnb431r1: X9.62 curve over a 431 bit binary field

  wap-wsg-idm-ecid-wtls1: WTLS curve over a 113 bit binary field

  wap-wsg-idm-ecid-wtls3: NIST/SECG/WTLS curve over a 163 bit binary field

  wap-wsg-idm-ecid-wtls4: SECG curve over a 113 bit binary field

  wap-wsg-idm-ecid-wtls5: X9.62 curve over a 163 bit binary field

  wap-wsg-idm-ecid-wtls6: SECG/WTLS curve over a 112 bit prime field

  wap-wsg-idm-ecid-wtls7: SECG/WTLS curve over a 160 bit prime field

  wap-wsg-idm-ecid-wtls8: WTLS curve over a 112 bit prime field

  wap-wsg-idm-ecid-wtls9: WTLS curve over a 160 bit prime field

  wap-wsg-idm-ecid-wtls10: NIST/SECG/WTLS curve over a 233 bit binary field

  wap-wsg-idm-ecid-wtls11: NIST/SECG/WTLS curve over a 233 bit binary field

  wap-wsg-idm-ecid-wtls12: WTLS curve over a 224 bit prime field

  Oakley-EC2N-3:

        IPSec/IKE/Oakley curve #3 over a 155 bit binary field.

        Not suitable for ECDSA.

        Questionable extension field!

  Oakley-EC2N-4:

        IPSec/IKE/Oakley curve #4 over a 185 bit binary field.

        Not suitable for ECDSA.

        Questionable extension field!

  brainpoolP160r1: RFC 5639 curve over a 160 bit prime field

  brainpoolP160t1: RFC 5639 curve over a 160 bit prime field

  brainpoolP192r1: RFC 5639 curve over a 192 bit prime field

  brainpoolP192t1: RFC 5639 curve over a 192 bit prime field

  brainpoolP224r1: RFC 5639 curve over a 224 bit prime field

  brainpoolP224t1: RFC 5639 curve over a 224 bit prime field

  brainpoolP256r1: RFC 5639 curve over a 256 bit prime field

  brainpoolP256t1: RFC 5639 curve over a 256 bit prime field

  brainpoolP320r1: RFC 5639 curve over a 320 bit prime field

  brainpoolP320t1: RFC 5639 curve over a 320 bit prime field

  brainpoolP384r1: RFC 5639 curve over a 384 bit prime field

  brainpoolP384t1: RFC 5639 curve over a 384 bit prime field

  brainpoolP512r1: RFC 5639 curve over a 512 bit prime field

  brainpoolP512t1: RFC 5639 curve over a 512 bit prime field

try

openssl s_server -cert /path/to/cert -key /path/to/key -port 5555

openssl s_client -connect localhost:5555

Aki

---
Aki Tuomi