Dave, Thank you for your kind help, I really appreciate it. I forgot to mention in my last email, which showed the results of the crash,..That it was running s_client.
Thanks again, -Mike --- On Wed, 9/30/09, Dave Thompson <dave.thomp...@princetonpayments.com> wrote: > From: Dave Thompson <dave.thomp...@princetonpayments.com> > Subject: RE: trying to understand ECDHE operations > To: openssl-users@openssl.org > Date: Wednesday, September 30, 2009, 5:53 PM > > From: owner-openssl-us...@openssl.org > On Behalf Of Michael D > > Sent: Wednesday, 30 September, 2009 13:12 > (superseding previous, I assume) > > > Ok, I reran my tests again...This time I added the > > -named_curve parameter...and do indeed get 50 byte key > for > > the prime192v1 curve. > > > > However, if I run the server with my certificate and > key, the > > client crashes processing the certificate. > > > s_client or something else? can you narrow it down? > > > One more question. If the public key is in the > certificate, > > why does the server send a server key exchange? > > > ECDHE = Elliptic Curve Diffie-Hellman EPHEMERAL > > Like DHE = Diffie-Hellman Ephemeral, both parties choose > per-session(handshake) DH keypairs X,Y. Server sends Ys > in ServerKeyExchange, client sends Yc in > ClientKeyExchange. > The only difference is DHE uses Z_p, ECDHE uses elliptic. > The key in the cert is used only for authentication > (signing). > > Static aka fixed ECDH (or DH) does use the certified key as > the > server part of keyagreement. Client similarly if client > auth > i.e. cert is used, which it usually isn't; but even though > that > gives a fixed (EC)DH result, SSL still makes the > sessionkeys > unique by adding per-session/handshake nonces. > > > > ______________________________________________________________________ > OpenSSL Project > > http://www.openssl.org > User Support Mailing List > openssl-users@openssl.org > Automated List Manager > > majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
