On Sat, Aug 22, 2009, Michael D wrote: > Thank you for your reply. > If I understand correctly, by specifying the 'nocert' option > when starting s_server, I am limiting the cipher suites to those > without certificates. Otherwise I need to create a certificate > and cipher suites that require certificates won't work. > > Does open ssl support the TLS_ECDH_anon .. cipher suites? >
Yes the cipherstring "AECDH" for example will explicitly enable them. > Last question. (for now..and thank you) > How can a generate an elliptic curve certificate? > > I tried a few things unsuccessfully to make a certificate, > so some tips would really be appreciated. > Well you make an EC key and then use that to generate a certificate. You need an EC curve first, you can list supported curves with: openssl ecparam -list_curves Then you can generate a key with: openssl ecparam -genkey -name prime239v3 -out eckey.pem You can also use the universal key generation utility, first dump the curve to a file: openssl genpkey -genparam -algorithm EC -pkeyopt ec_paramgen_curve:prime239v3 -out ecparam.pem Then generate the key: openssl genpkey -paramfile ecparam.pem -out eckey.pem -aes128 That also encrypts the private key and will prompt for a passphrase. It should be possible to do that with one command but there's a bug at present preventing it. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
