On 12 Oct 2016 8:45 am, "Igor Cicimov" <ig...@encompasscorporation.com> wrote: > > On 11 Oct 2016 7:05 pm, "Thierry Fournier" <thierry.fourn...@ozon.io> wrote: > > > > Hi list, > > > > I'm currently trying to investigate about a little leak of memory in > > the certificates loading, and I try to test ECDSA certificates and > > cipher. > > > > I can't done this :( I don't understand anything in the ECDSA > > certificate process. > > > > So, after many fails with HAProxy, I tried to validate the concept only > > with openssl. I used openssl 1.0.2j. > > > > First I test classic RSA ciphers (I suppose that OpenSSL build its own > > certificates ?): > > > > openssl s_server -accept 10000 -cipher RSA > > openssl s_client -connect 127.0.0.1:10000 -cipher RSA > > > > That's run ! I tried with ECDSA. I ts exactily the same command but > > with ECDSA ciphers. > > > > openssl s_server -accept 10000 -cipher ECDSA > > openssl s_client -connect 127.0.0.1:10000 -cipher ECDSA > > > > Try with more specific cipher like > > -cipher ECDHE-ECDSA-AES128-GCM-SHA256 > > > That's no work. I read these error: "ssl3_get_client_hello:no shared > > cipher". I don't understand because the server and the client are the > > same binary, and I suppose that the cipher are obviously the same. > > > > I have exactly the same behaviour with haproxy (I wrote a temporary > > path for having the detail of the handshake errors). If I load only a > > ECDSA certificate, and I enable only the ECDSA ciphers. > > > > I run a tcpdump network capture, and I se that the client announce > > the right list of ECDSA ciphers. In other way, the protocol used is TLS > > 1.2. > > > > ... ECDHE-ECDSA-AES128-SHA256 ... ECDHE-ECDSA-AES128-SHA ... > > ... and others ... > > > > My test certificate is generated from a little chain where the root CA > > is autosigned. So the root CA and the 2 intermediate are RSA > > certificates. The ECDSA certificate is build with these commands: > > > > openssl ecparam -name secp521r1 -genkey -param_enc explicit -out \ > > $CN.ecdsa.key
Also try with different EC like: openssl req -new -x509 -nodes -newkey ec:<(openssl ecparam -name secp384r1) -keyout cert_ecdsa.key -out cert_ecdsa.crt -days 7200 -subj 'subject' I remember I had issues with secp higher than 384r1 when was testing ecdsa with tomcat9. See https://icicimov.github.io/blog/server/Tomcat9-ECDSA-Certificates-and-HTTP2/, maybe you can find something useful. Was using curl as client for testing though. > > openssl req -new -key $CN.ecdsa.key -out $CN.ecdsa.csr -subj \ > > "$SUBJECT" > > > > openssl x509 -req -in $CN.ecdsa.csr -CA inter2.pem -CAkey \ > > inter2.key -CAcreateserial -out $CN.ecdsa.cert -days 500000 \ > > -sha256 > > > > Any ideas ? > > > > PS: I can't neither test the DSA, but in this case, the openssl > > s_client fail before trying to connect :) This is another story. > > > > Thierry > > > > > > -- > > Thierry Fournier > > m: +33 6 68 69 21 85 | e: thierry.fourn...@ozon.io > > w: http://www.ozon.io/ | b: http://blog.ozon.io/ > >
