RE: ECDH-RSA and TLS 1.2
Just for everyone's benefit, there is a bug in OpenSSL that prevents ECDH-RSA cipher suites to be negotiated and this has been fixed in the latest stable snapshot. For all the folks who recommends that ECDH-RSA and ECDH-ECDSA cipher suites should not be supported, can you point to literature that specifically recommends not using these cipher suites - I understand the principle of forward secrecy but why is it such a big concern for ECDH key exchange and not for RSA key exchange? And does OpenSSL provide any mitigation for this apparent weakness of ECDH using static keys. Thanks Abhi From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Jakob Bohm [jb-open...@wisemo.com] Sent: Tuesday, November 06, 2012 1:34 AM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On 11/5/2012 1:37 AM, Jeffrey Walton wrote: On Sun, Nov 4, 2012 at 7:15 PM, jb-open...@wisemo.com wrote: On 02-11-2012 21:46, Jeffrey Walton wrote: On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm jb-open...@wisemo.com wrote: (continuing TOFU posting to keep the thread somewhat consistent) Given some of the mathematical restrictions on parameters needed to keep DSA and ECDSA safe from attackers, I don't think using the same private key for ECDSA and ECDH is a good/safe idea. However I am not a genius cryptanalyst, so I cannot guarantee that this is really dangerous, it is just a somewhat educated guess. Not at all - its good advice. Its called Key Separation, and its covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I usually see folks trying to use the same key for signing and encryption. This is a slight twist in that they want to do signing and agreement. The HAC is available for free online at http://cacr.uwaterloo.ca/hac/. I am aware of the general principle, but that is not my point at all. My point is that the very specific math of DSA signatures may enable specific attacks if the same key pair is used as a static DH key. Information on this possibility (or its absence) is obscured by replies like yours (and by similar general statements in official Government materials from NIST etc.). My apologies. I was not aware I was obscuring results. It was not my intention. The OpenSSL list is a good list, but its OpenSSL implementation oriented. As such, its not the best place to ask number theoretic questions. To get your question answered, I would encourage you to ask on an appropriate list; or visit a university and talk to someone in the math department or teaching cryptography. (I still keep in touch with my former crypto instructor, so I would simply send an email). As far as I know, there are three such lists. First you can ask on Usenet's sci.crypt. Second, you can ask on Usenet's sci.math. I see David Wagner patrolling sic.crypt on occasion. Both of these lists will require you to wade though copious amounts of spam. Third, you can try Jack Llyod's Cryptography mailing list at http://lists.randombit.net/mailman/listinfo. Jack is the author of Botan, and a lot of first class crypto folks are active on his list, such as Jon Callas and Peter Guttman. I have omitted a number of influential and helpful folks, so please don't take offense if I did not name your favorite cryptographer. For what its worth, I don't think this is a conspiracy or a concerted effort to suppress your knowledge. It is not as much my question as an uncertain basis for my reply to an OpenSSL user about why his OpenSSL related software seems to prevent him from doing this possibly dangerous thing. As I would probably not try to do that myself anyway, I am not that interested in the mathematical proving or disproving of the actual existence of the risk. It was simply a caveat emptor attached to my advice. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH-RSA and TLS 1.2
On 11/5/2012 1:37 AM, Jeffrey Walton wrote: On Sun, Nov 4, 2012 at 7:15 PM, jb-open...@wisemo.com wrote: On 02-11-2012 21:46, Jeffrey Walton wrote: On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm jb-open...@wisemo.com wrote: (continuing TOFU posting to keep the thread somewhat consistent) Given some of the mathematical restrictions on parameters needed to keep DSA and ECDSA safe from attackers, I don't think using the same private key for ECDSA and ECDH is a good/safe idea. However I am not a genius cryptanalyst, so I cannot guarantee that this is really dangerous, it is just a somewhat educated guess. Not at all - its good advice. Its called Key Separation, and its covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I usually see folks trying to use the same key for signing and encryption. This is a slight twist in that they want to do signing and agreement. The HAC is available for free online at http://cacr.uwaterloo.ca/hac/. I am aware of the general principle, but that is not my point at all. My point is that the very specific math of DSA signatures may enable specific attacks if the same key pair is used as a static DH key. Information on this possibility (or its absence) is obscured by replies like yours (and by similar general statements in official Government materials from NIST etc.). My apologies. I was not aware I was obscuring results. It was not my intention. The OpenSSL list is a good list, but its OpenSSL implementation oriented. As such, its not the best place to ask number theoretic questions. To get your question answered, I would encourage you to ask on an appropriate list; or visit a university and talk to someone in the math department or teaching cryptography. (I still keep in touch with my former crypto instructor, so I would simply send an email). As far as I know, there are three such lists. First you can ask on Usenet's sci.crypt. Second, you can ask on Usenet's sci.math. I see David Wagner patrolling sic.crypt on occasion. Both of these lists will require you to wade though copious amounts of spam. Third, you can try Jack Llyod's Cryptography mailing list at http://lists.randombit.net/mailman/listinfo. Jack is the author of Botan, and a lot of first class crypto folks are active on his list, such as Jon Callas and Peter Guttman. I have omitted a number of influential and helpful folks, so please don't take offense if I did not name your favorite cryptographer. For what its worth, I don't think this is a conspiracy or a concerted effort to suppress your knowledge. It is not as much my question as an uncertain basis for my reply to an OpenSSL user about why his OpenSSL related software seems to prevent him from doing this possibly dangerous thing. As I would probably not try to do that myself anyway, I am not that interested in the mathematical proving or disproving of the actual existence of the risk. It was simply a caveat emptor attached to my advice. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH-RSA and TLS 1.2 [AESGCM]
On Fri, Nov 02, 2012, Dave Thompson wrote: From: owner-openssl-us...@openssl.org On Behalf Of Abhiram Shandilya Sent: Thursday, 01 November, 2012 21:31 -dev added I configured my openssl RSA CA to add the key usage extension for key agreement to the ECC certificate but even then it does not work. Pre-TLS 1.2 cipher suites such as ECDH-RSA-AES128-SHA work fine but just not the TLS 1.2 cipher suites with AESGCM. Looks like a bug to me. (1.0.1c) s3_lib.c ciphers C031 and C032 have kECDHe when it appears they should have kECDHr . Should be fixed by this: http://cvs.openssl.org/chngview?cn=22562 just hasn't made it into a release yet. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH-RSA and TLS 1.2
On 02-11-2012 21:46, Jeffrey Walton wrote: On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm jb-open...@wisemo.com wrote: (continuing TOFU posting to keep the thread somewhat consistent) Given some of the mathematical restrictions on parameters needed to keep DSA and ECDSA safe from attackers, I don't think using the same private key for ECDSA and ECDH is a good/safe idea. However I am not a genius cryptanalyst, so I cannot guarantee that this is really dangerous, it is just a somewhat educated guess. Not at all - its good advice. Its called Key Separation, and its covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I usually see folks trying to use the same key for signing and encryption. This is a slight twist in that they want to do signing and agreement. The HAC is available for free online at http://cacr.uwaterloo.ca/hac/. I am aware of the general principle, but that is not my point at all. My point is that the very specific math of DSA signatures may enable specific attacks if the same key pair is used as a static DH key. Information on this possibility (or its absence) is obscured by replies like yours (and by similar general statements in official Government materials from NIST etc.). DSA/ECDSA is an algorithm which (like DES) is engineered on the edge, such that almost any modification is unlikely to improve security, and in fact likely to undermine it. And unlike PKCS#1 RSA operations, there is very little in the design which limits the ability of an attacker to use one operation (DH exchange) to help break another (DSA signature) or the other way round. On 11/2/2012 9:06 PM, Abhiram Shandilya wrote: I thought the keys in ECC certificates can be used for both ECDH key agreement and ECDSA digital signature. -Original Message- From: Erik Tkal Sent: Friday, November 02, 2012 8:24 AM To: openssl-users@openssl.org Subject: RE: ECDH-RSA and TLS 1.2 What if the server has an ECDH certificate? Would that then be the appropriate set of suites? -Original Message- From: Dr. Stephen Henson Sent: Thursday, November 01, 2012 10:38 PM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On Fri, Nov 02, 2012, Abhiram Shandilya wrote: Hi Steve, Thanks for your response. I'm just trying to figure out what it takes to get this working - are you of the opinion that an SSL server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why? Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key. -- Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10 call:+4531131610 This message is only for its intended recipient, delete if misaddressed. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH-RSA and TLS 1.2
On Sun, Nov 4, 2012 at 7:15 PM, jb-open...@wisemo.com wrote: On 02-11-2012 21:46, Jeffrey Walton wrote: On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm jb-open...@wisemo.com wrote: (continuing TOFU posting to keep the thread somewhat consistent) Given some of the mathematical restrictions on parameters needed to keep DSA and ECDSA safe from attackers, I don't think using the same private key for ECDSA and ECDH is a good/safe idea. However I am not a genius cryptanalyst, so I cannot guarantee that this is really dangerous, it is just a somewhat educated guess. Not at all - its good advice. Its called Key Separation, and its covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I usually see folks trying to use the same key for signing and encryption. This is a slight twist in that they want to do signing and agreement. The HAC is available for free online at http://cacr.uwaterloo.ca/hac/. I am aware of the general principle, but that is not my point at all. My point is that the very specific math of DSA signatures may enable specific attacks if the same key pair is used as a static DH key. Information on this possibility (or its absence) is obscured by replies like yours (and by similar general statements in official Government materials from NIST etc.). My apologies. I was not aware I was obscuring results. It was not my intention. The OpenSSL list is a good list, but its OpenSSL implementation oriented. As such, its not the best place to ask number theoretic questions. To get your question answered, I would encourage you to ask on an appropriate list; or visit a university and talk to someone in the math department or teaching cryptography. (I still keep in touch with my former crypto instructor, so I would simply send an email). As far as I know, there are three such lists. First you can ask on Usenet's sci.crypt. Second, you can ask on Usenet's sci.math. I see David Wagner patrolling sic.crypt on occasion. Both of these lists will require you to wade though copious amounts of spam. Third, you can try Jack Llyod's Cryptography mailing list at http://lists.randombit.net/mailman/listinfo. Jack is the author of Botan, and a lot of first class crypto folks are active on his list, such as Jon Callas and Peter Guttman. I have omitted a number of influential and helpful folks, so please don't take offense if I did not name your favorite cryptographer. For what its worth, I don't think this is a conspiracy or a concerted effort to suppress your knowledge. Jeff __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: ECDH-RSA and TLS 1.2
What if the server has an ECDH certificate? Would that then be the appropriate set of suites? Erik Tkal Juniper OAC/UAC/Pulse Development -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, November 01, 2012 10:38 PM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On Fri, Nov 02, 2012, Abhiram Shandilya wrote: Hi Steve, Thanks for your response. I'm just trying to figure out what it takes to get this working - are you of the opinion that an SSL server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why? Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH-RSA and TLS 1.2
Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key. ECDHE cipher suites as implemented in OpenSSL don't necessarily support forward secrecy either. I wonder what it takes to get SSL_OP_SINGLE_ECDH_USE option by default in the code base? BBB __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: ECDH-RSA and TLS 1.2
I thought the keys in ECC certificates can be used for both ECDH key agreement and ECDSA digital signature. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Erik Tkal Sent: Friday, November 02, 2012 8:24 AM To: openssl-users@openssl.org Subject: RE: ECDH-RSA and TLS 1.2 What if the server has an ECDH certificate? Would that then be the appropriate set of suites? Erik Tkal Juniper OAC/UAC/Pulse Development -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, November 01, 2012 10:38 PM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On Fri, Nov 02, 2012, Abhiram Shandilya wrote: Hi Steve, Thanks for your response. I'm just trying to figure out what it takes to get this working - are you of the opinion that an SSL server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why? Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH-RSA and TLS 1.2
(continuing TOFU posting to keep the thread somewhat consistent) Given some of the mathematical restrictions on parameters needed to keep DSA and ECDSA safe from attackers, I don't think using the same private key for ECDSA and ECDH is a good/safe idea. However I am not a genius cryptanalyst, so I cannot guarantee that this is really dangerous, it is just a somewhat educated guess. On 11/2/2012 9:06 PM, Abhiram Shandilya wrote: I thought the keys in ECC certificates can be used for both ECDH key agreement and ECDSA digital signature. -Original Message- From: Erik Tkal Sent: Friday, November 02, 2012 8:24 AM To: openssl-users@openssl.org Subject: RE: ECDH-RSA and TLS 1.2 What if the server has an ECDH certificate? Would that then be the appropriate set of suites? -Original Message- From: Dr. Stephen Henson Sent: Thursday, November 01, 2012 10:38 PM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On Fri, Nov 02, 2012, Abhiram Shandilya wrote: Hi Steve, Thanks for your response. I'm just trying to figure out what it takes to get this working - are you of the opinion that an SSL server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why? Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2730 Herlev, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH-RSA and TLS 1.2
On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm jb-open...@wisemo.com wrote: (continuing TOFU posting to keep the thread somewhat consistent) Given some of the mathematical restrictions on parameters needed to keep DSA and ECDSA safe from attackers, I don't think using the same private key for ECDSA and ECDH is a good/safe idea. However I am not a genius cryptanalyst, so I cannot guarantee that this is really dangerous, it is just a somewhat educated guess. Not at all - its good advice. Its called Key Separation, and its covered in the Handbook of Applied Cryptography (HAC), Chapter 13. I usually see folks trying to use the same key for signing and encryption. This is a slight twist in that they want to do signing and agreement. The HAC is available for free online at http://cacr.uwaterloo.ca/hac/. Jeff On 11/2/2012 9:06 PM, Abhiram Shandilya wrote: I thought the keys in ECC certificates can be used for both ECDH key agreement and ECDSA digital signature. -Original Message- From: Erik Tkal Sent: Friday, November 02, 2012 8:24 AM To: openssl-users@openssl.org Subject: RE: ECDH-RSA and TLS 1.2 What if the server has an ECDH certificate? Would that then be the appropriate set of suites? -Original Message- From: Dr. Stephen Henson Sent: Thursday, November 01, 2012 10:38 PM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On Fri, Nov 02, 2012, Abhiram Shandilya wrote: Hi Steve, Thanks for your response. I'm just trying to figure out what it takes to get this working - are you of the opinion that an SSL server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why? Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: ECDH-RSA and TLS 1.2 [AESGCM]
From: owner-openssl-us...@openssl.org On Behalf Of Abhiram Shandilya Sent: Thursday, 01 November, 2012 21:31 -dev added I configured my openssl RSA CA to add the key usage extension for key agreement to the ECC certificate but even then it does not work. Pre-TLS 1.2 cipher suites such as ECDH-RSA-AES128-SHA work fine but just not the TLS 1.2 cipher suites with AESGCM. Looks like a bug to me. (1.0.1c) s3_lib.c ciphers C031 and C032 have kECDHe when it appears they should have kECDHr . __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH-RSA and TLS 1.2
On Thu, Nov 01, 2012, Abhiram Shandilya wrote: I ran openssl s_server with an ECC certificate signed by an RSA Root CA. When I try to connect using s_client and a TLS 1.2 ECDH-RSA cipher suite (eg ECDH-RSA-AES128-SHA256 or ECDH-RSA-AES128-GCM-SHA256), the connection fails with s_server printing the following error: 3086918464:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1353:. Can someone please tell me why this doesn't work? Here are the commands I used: Starting s_server: openssl s_server -accept 4433 -key ./key.pem -cert cert.pem Connecting with s_client: openssl s_client -connect localhost:4433 -cipher ECDH-RSA-AES128-SHA256 You probably don't want ECDH-RSA-AES128-SHA256 as it is a fixed ECDH ciphersuite (if you do you need to use an appropriate curve in the EE certificate and include key agreement in the key usage extension, if present). You should try ECDHE-ECDSA-AES128-SHA256 which uses ephemeral ECDH. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: ECDH-RSA and TLS 1.2
Hi Steve, Thanks for your response. I'm just trying to figure out what it takes to get this working - are you of the opinion that an SSL server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why? I configured my openssl RSA CA to add the key usage extension for key agreement to the ECC certificate but even then it does not work. Pre-TLS 1.2 cipher suites such as ECDH-RSA-AES128-SHA work fine but just not the TLS 1.2 cipher suites with AESGCM. Thanks Abhi -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, November 01, 2012 4:40 AM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On Thu, Nov 01, 2012, Abhiram Shandilya wrote: I ran openssl s_server with an ECC certificate signed by an RSA Root CA. When I try to connect using s_client and a TLS 1.2 ECDH-RSA cipher suite (eg ECDH-RSA-AES128-SHA256 or ECDH-RSA-AES128-GCM-SHA256), the connection fails with s_server printing the following error: 3086918464:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1353:. Can someone please tell me why this doesn't work? Here are the commands I used: Starting s_server: openssl s_server -accept 4433 -key ./key.pem -cert cert.pem Connecting with s_client: openssl s_client -connect localhost:4433 -cipher ECDH-RSA-AES128-SHA256 You probably don't want ECDH-RSA-AES128-SHA256 as it is a fixed ECDH ciphersuite (if you do you need to use an appropriate curve in the EE certificate and include key agreement in the key usage extension, if present). You should try ECDHE-ECDSA-AES128-SHA256 which uses ephemeral ECDH. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: ECDH-RSA and TLS 1.2
On Fri, Nov 02, 2012, Abhiram Shandilya wrote: Hi Steve, Thanks for your response. I'm just trying to figure out what it takes to get this working - are you of the opinion that an SSL server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why? Well one reason is that the fixed ECDH cipher suites do not support forward secrecy because they always use the same ECDH key. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
ECDH-RSA and TLS 1.2
I ran openssl s_server with an ECC certificate signed by an RSA Root CA. When I try to connect using s_client and a TLS 1.2 ECDH-RSA cipher suite (eg ECDH-RSA-AES128-SHA256 or ECDH-RSA-AES128-GCM-SHA256), the connection fails with s_server printing the following error: 3086918464:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1353:. Can someone please tell me why this doesn't work? Here are the commands I used: Starting s_server: openssl s_server -accept 4433 -key ./key.pem -cert cert.pem Connecting with s_client: openssl s_client -connect localhost:4433 -cipher ECDH-RSA-AES128-SHA256 Thanks Abhi