> -----Original Message-----
> From: Sander Temme [mailto:sctemme@xxxxxxxxxx]
>
> On Apr 8, 2007, at 7:47 PM, Takurou Saitou wrote:
>
> > $ ./openssl ciphers -v ECDHE-ECDSA-AES256-SHA
> > ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256)
> > Mac=SHA1
> > ----------------------------------------------------------------------
> > --------------------
> > --------------
> >
> > A version of OpenSSL using is 0.9.8e.
>
> See, that's strange. Without a thorough look at the actual code, I
> don't know which call we make to get the list of CipherSuites from
> OpenSSL. However, I wouldn't be surprised if we (Apache) would not
> pick up a cipher that was not in the list.
>
> If this is the case, the fact that your cipher is not in the list is
> a bug in OpenSSL and should be brought to their attention.
>
> >>
> >>> The following error occurred when I was going to use a certificate
> >>> of ECDSA in mod_ssl of Apache2.2.4 for trial.
> >>
> >> What is the value of your SSLCipherSuite directive in your
> >> configuration file?
> >
> > I appoint 'ECDHE-ECDSA-AES256-SHA' in 'SSLCipherSuite' directive
> > experimentally.
> >
> > The error that I showed by a previous email is given right after I
> > execute 'httpd -k
> > start'.
> > Therefore I think that it is a previous problem with CipherSuite of
> > ECDSA.
>
> Could you make sure that your Apache is linked against a library that
> supports the cipher, for instance on unix systems you could run
>
> ldd /path/to/your/apache/bin/httpd
>
> and look at the entries for libcrypto.so.(...) and libssl.so.(...),
> and make sure they resolve to the right OpenSSL installation if you
> have more than one on your machine.
'httpd' is linked with a library of OpenSSL0.9.8e normally when I executed 'ldd'.
>
> How did you generate this certificate? If you could paste me the
> command sequence you used to generate the key and certificate, I can
> do some experimentation and see if I can reproduce your issue.
>
> Also, are you able to print the certificate using
>
> openssl x509 -in yourcert.file -noout -text
I show below information of a certificate.
※ I omit information of DN.
---------------------------------------------
$ ./openssl x509 -in ecdsa_cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d9:7e:b1:ac:ca:db:78:b6
Signature Algorithm: sha1WithRSAEncryption
(Omission)
Validity
Not Before: Mar 28 01:23:17 2007 GMT
Not After : Mar 27 01:23:17 2008 GMT
(Omission)
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
EC Public Key:
pub:
04:48:8b:b5:bd:28:c3:be:02:d2:fe:e3:6a:41:93:
5f:ce:62:6f:09:50:65:07:cc:b4:75:98:06:4c:4c:
9c:40:4f:d6:46:46:2a:d6:ad:06:88:46:6e:0a:84:
71:85:fd:b2
ASN1 OID: prime192v1
X509v3 extensions:
X509v3 Subject Key Identifier:
32:49:F5:96:57:24:35:51:23:E4:97:0B:C5:15:08:AB:B7:9A:A8:8D
X509v3 Authority Key Identifier:
keyid:0C:A4:37:29:F1:2D:B7:15:05:18:2F:B3:42:56:75:EC:0F:50:AB:76
(Omission)
serial:D9:7E:B1:AC:CA:DB:78:B5
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha1WithRSAEncryption
5d:d2:df:87:85:a9:1e:3d:69:57:62:f3:01:74:23:26:2a:08:
a3:f6:24:f5:7f:6e:ed:48:d2:d4:71:d3:cf:5b:99:8e:e6:88:
d6:90:cd:53:cf:2b:4a:4b:3b:ff:57:61:69:aa:7c:cb:cf:22:
c9:1d:fa:4f:3d:3e:c2:63:e0:e9:b6:c9:c1:36:3f:92:e2:62:
5e:82:ea:aa:e6:75:bf:24:de:86:89:b9:5b:ea:5d:d9:ab:4c:
77:80:df:b1:39:85:12:f2:0f:ac:5b:0e:cc:b3:09:c3:ef:60:
3b:a2:1d:0a:fc:ff:13:71:1e:ce:f5:42:4e:d1:3f:2d:b1:c4:
c9:f0
---------------------------------------------
In addition, when I set RSA private key in 'SSLCertificateKeyFile' ,
and I set an RSA certificate file in 'SSLCertificateFile', 'httpd' is
started normally.
Perhaps it is thought whether it is a problem of reading of a certificate of
ECDSA in mod_ssl.
Thanks,
Takurou Saitou
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|