I thought the keys in ECC certificates can be used for both ECDH key agreement and ECDSA digital signature.
-----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Erik Tkal Sent: Friday, November 02, 2012 8:24 AM To: openssl-users@openssl.org Subject: RE: ECDH-RSA and TLS 1.2 What if the server has an ECDH certificate? Would that then be the appropriate set of suites? .................................... Erik Tkal Juniper OAC/UAC/Pulse Development -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, November 01, 2012 10:38 PM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On Fri, Nov 02, 2012, Abhiram Shandilya wrote: > Hi Steve, Thanks for your response. I'm just trying to figure out what > it takes to get this working - are you of the opinion that an SSL > server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also > mention why? > Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
