Re: ECC Usage - using OpenSSL as the server and/or client

Fri, 11 Jan 2008 08:16:03 -0800 

Victor Duchovni wrote:


OpenSSL s_server is a test tool, not an application.


openssl the program, as built in the 'apps' directory of the openssl
source tree, is a test tool APPLICATION that has been used for almost

a decade to debug and interop test other (mostly commercial) TLS 
implementations.



In 0.9.9 snapshot
builds, s_server support ECDSA, just point your cert and key files
at an ECDSA cert and private key. I have not checked whether it has a
command-line option to select an EECDH curve, but this is not important.


It's critical.  If you can't test it it doesn't exist.  You have to
test it before a development team can soundly claim they test
any pair of interoperating implementations.



I only use OpenSSL, I have working code, slated for Postfix 2.6 in Q1
'09, that allows the SMTP server administrator enable EECDH and allows
clients and servers to configure of a third cert/key pair (presumably
ECDSA). With this, Postfix 2.6 will be able to do EECDH key exchange
and ECDSA authentication.


cool.  what does it talk to?  if it only talks to postfix, I would
call that a terribly good first step and a wonderful basis for someone
to explore ECC/TLS interoperability with Sendmail and Exchange.



It may be some time before the first public CA signs an ECDSA cert
(especially with an ECDSA CA cert).


agreed.  the vendors don't seem to care.

 However, with private-label CAs,

or bilateral key exchange, the EC support in OpenSSL works now when
both the server and client run OpenSSL.


TLS support in email systems with no public certificate system to
support it will be at least as sketchy as the current sorry state
of affairs where nobody cares about the signature on their RSA certs :-(
Hopefully the CA engine vendors (that'd be Oracle, Entrust, Microsoft,
and others...) will wake up and figure this out.


I don't have access to other
implementations for interop testing.



that's ok.  someday someone like me will do a product review of 
someone's ECC/TLS/SMTP product and make sure it gets tested...

if we're all really lucky some commercial enterprise will make sure
it gets tested and the feedback is properly available in the open source
community.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]






















					Reply via email to