On 11 Oct 2016 7:05 pm, "Thierry Fournier" <thierry.fourn...@ozon.io> wrote: > > Hi list, > > I'm currently trying to investigate about a little leak of memory in > the certificates loading, and I try to test ECDSA certificates and > cipher. > > I can't done this :( I don't understand anything in the ECDSA > certificate process. > > So, after many fails with HAProxy, I tried to validate the concept only > with openssl. I used openssl 1.0.2j. > > First I test classic RSA ciphers (I suppose that OpenSSL build its own > certificates ?): > > openssl s_server -accept 10000 -cipher RSA > openssl s_client -connect 127.0.0.1:10000 -cipher RSA > > That's run ! I tried with ECDSA. I ts exactily the same command but > with ECDSA ciphers. > > openssl s_server -accept 10000 -cipher ECDSA > openssl s_client -connect 127.0.0.1:10000 -cipher ECDSA >
Try with more specific cipher like -cipher ECDHE-ECDSA-AES128-GCM-SHA256 > That's no work. I read these error: "ssl3_get_client_hello:no shared > cipher". I don't understand because the server and the client are the > same binary, and I suppose that the cipher are obviously the same. > > I have exactly the same behaviour with haproxy (I wrote a temporary > path for having the detail of the handshake errors). If I load only a > ECDSA certificate, and I enable only the ECDSA ciphers. > > I run a tcpdump network capture, and I se that the client announce > the right list of ECDSA ciphers. In other way, the protocol used is TLS > 1.2. > > ... ECDHE-ECDSA-AES128-SHA256 ... ECDHE-ECDSA-AES128-SHA ... > ... and others ... > > My test certificate is generated from a little chain where the root CA > is autosigned. So the root CA and the 2 intermediate are RSA > certificates. The ECDSA certificate is build with these commands: > > openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \ > $CN.ecdsa.key > > openssl req -new -key $CN.ecdsa.key -out $CN.ecdsa.csr -subj \ > "$SUBJECT" > > openssl x509 -req -in $CN.ecdsa.csr -CA inter2.pem -CAkey \ > inter2.key -CAcreateserial -out $CN.ecdsa.cert -days 500000 \ > -sha256 > > Any ideas ? > > PS: I can't neither test the DSA, but in this case, the openssl > s_client fail before trying to connect :) This is another story. > > Thierry > > > -- > Thierry Fournier > m: +33 6 68 69 21 85 | e: thierry.fourn...@ozon.io > w: http://www.ozon.io/ | b: http://blog.ozon.io/ >
