|
Rich-
Thanks for your reply. At this point I'm 99% sure I have ECDH with RSA working. My question in the previous post was just to confirm. But I have my RSA cert and key pair, and a client can successfully connect to my server using ECDHE_RSA* ciphers.
My questions are more related to ECDSA. For example, you said "just load your ECDSA cert", which is easy enough. My question is, is that all I need? For example, with DSA (which we don't really use anymore), I also needed a DH parameters file, which I read
in with PEM_read_DHparams(). Do I need to do something similar with "EC params" or "ECDSA params"? I've seen references to both, and I'm not sure if and when I need them.
As I pointed out, it looks like there are "EC PARAMETERS" in my private key file. Are these needed? If so, how and when do I use them? Or do I need them in a separate file?
From: Salz, Rich <rsalz@xxxxxxxxxx>
Sent: Tuesday, February 11, 2020 4:37 PM To: Jason Schultz <jetson23@xxxxxxxxxxx>; openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx> Subject: Re: Questions about using Elliptic Curve ciphers in OpenSSL The first thing I would suggest is to separate ECDH, the session key exchange, from ECDSA, the signature. Try to make ECDH with RSA work. Then just load your ECDSA cert; you can load one cert of each type (RSA DSA) and the runtime will figure out what to do, depending on what the client offers.
|
