-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
On 1/9/20 3:45 PM, Christopher Schultz wrote: > Mark and Peter, > > On 1/9/20 3:36 PM, Mark Thomas wrote: >> On 09/01/2020 20:22, logo wrote: >>> Mark, >>> >>>> Am 09.01.2020 um 20:36 schrieb Mark Thomas >>>> <ma...@apache.org>: >>>> >>>> On 02/01/2020 09:24, logo wrote: >>>> >>>> <snip/> >>>> >>>>> The connector comes up correctly, is accessible through >>>>> the browser but if I test the ssl setup, I get an error >>>>> message that the key/cert may not be used for "Key >>>>> agreement" >>>>> >>>>> See: testssl.sh <tomcat>:8443 >>>>> >>>>> Signature Algorithm ECDSA with SHA256 Server key >>>>> size EC 256 bits Server key usage Digital >>>>> Signature, Key Encipherment Certificate incorrectly used >>>>> for key agreement Server extended key usage TLS Web >>>>> Server Authentication, TLS Web Client Authentication >>> >>> The key usage error is caused by identifying ECDH_RSA ciphers >>> on the connector… (most certainly an unexpected edge case, >>> I’ve debugged it that far). That should not be the case - as it >>> is an ECDSA Cert, right? > >> I don't think so. > >> I'm seeing ECHD/RSA ciphers in the output and I am not getting >> that warning. > >> My reading of a couple of questions on stack exchange suggests >> RSA vs DSA ciphers depends on how the CA signs the cert. My test >> CA signs with RSA. > > DSA is almost never used. Nearly 100% of keys in the world are > plain-RSA or EC. I know of no CA that uses DSA for signing. So > pretty much every cert you will come across will be EC-with-RSA or > RSA-with-RSA (that's keytype-with-signature-type). Obviously, the above is a mixture of half-truths and irrelevant information. I was thinking of RSA versus DSA keys, not ECDSA as a signature algorithm in its own right. Carry on... - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4XkdgACgkQHPApP6U8 pFiJ/xAAudFM0wtuRNTIZy6hHGpwLZ4QX6Z9mbWYBYJ93eId8VKL8jQyHgkGTXyT OZ2moW+13Grr5zGxo7WgS4EGc1+MKnrBfSY0BwQJwKCwDCJOKTCqMjSybUMrrM7Y POf/Lwc+KbxTNhMd7KonxpwYOhox6Cu+I0wh/EQl5jsJCDK4VFW9Y7BjywlQsGjI reYQCEu7Sc98c+x8lw1eb6soAj7cIRzmyf8lofS0eOXW10waesIrZSL+8/QyiGd6 ku6198xaB4ofGOaeXBOO3L91e/2Kx4oRPd0FQHqe0h/nUp9+YJbOr6ypub9nCuuX Oq/MAPUv2Abds3mYAAdRNipJmsGmcud3dgJubzmVAQqfoJTCZHtn90p7IBJGK1t0 7nCmFCDGdqEYv43v6lBrzc6X5BBMT99c7gZ7pqWq7n2lAmorVNZK3rDkT4wMUjP3 OO0YapUd2+PyrneBFGb5e6lHvzHGk6sbKTNoeMkcMFAD3S5cE20w79gBruYP3y3B PlwFIXmYQTGBExIpTxZQziD19yKsavi8tMXWfLHt9yw04a9vIxeQdaSG6sFLQrj7 ZzyX1q9uhxieyTNNjwaDxhkLpnSJDHelu5SLV32TBr+9OL3426r3cVsivQQlouWD iAGdB84DMZLj0dINM1Y7XJHe/4FHjoMfnn7ELIiTdYmPm1sLJMQ= =c/td -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org