On 09/01/2020 20:22, logo wrote: > Mark, > >> Am 09.01.2020 um 20:36 schrieb Mark Thomas <ma...@apache.org>: >> >> On 02/01/2020 09:24, logo wrote: >> >> <snip/> >> >>> The connector comes up correctly, is accessible through the browser but if >>> I test the ssl setup, I get an error message that the key/cert may not be >>> used for "Key agreement" >>> >>> See: >>> testssl.sh <tomcat>:8443 >>> >>> Signature Algorithm ECDSA with SHA256 >>> Server key size EC 256 bits >>> Server key usage Digital Signature, Key Encipherment >>> Certificate incorrectly used for key agreement >>> Server extended key usage TLS Web Server Authentication, TLS Web Client >>> Authentication > > The key usage error is caused by identifying ECDH_RSA ciphers on the > connector… (most certainly an unexpected edge case, I’ve debugged it that > far). That should not be the case - as it is an ECDSA Cert, right?
I don't think so. I'm seeing ECHD/RSA ciphers in the output and I am not getting that warning. My reading of a couple of questions on stack exchange suggests RSA vs DSA ciphers depends on how the CA signs the cert. My test CA signs with RSA. key usage and extended key usage are properties of the certificate. My understanding is that the cipher doesn't play a role here. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
