Thanks for info! So, EC crypto uses standard curves, and temp ECDH parameters consists of choice of one of these curves. After rereading s_server documentation, noticed -named_curve option and it seems to be equivalent to -dhparam option for DH. That explains everything so far.
nistp256 is the same as secp256k1? s_server documentation (output of s_server -?) says that nistp256 is the default, but such exact name is not present in output of ecparam -list_curves. > 2011/7/1 yyy <y...@inbox.lv>: >> Hello! >> >> s_server (and probably other TLS servers), requires ECDH parameters, if >> using ECDH ciphersuites. (probably similarily as for DH parameters with DH >> ciphersuites). >> It seems, that these are supposed to be generated using: >> ecparam -name 'name_of_named_curve', >> but this always generates the same output (it seems to be somehow encoded >> name of that curve). > Generating a curve (ie, 'domain parameters') can be tricky business > due to point counting. In practice, one uses a standard curve observed > by ANSI, IETF, IEEE, NIST, etc. For example, > http://tools.ietf.org/html/rfc5349. If you want a custom curve, I > recommend a tool such as Marcel Martin's Elliptic Curve Builder (ECB). > > A private key (and public) are selected once domain parameters have > been chosen. The private key is 'x' or 'd' (a multiplier), which > results in a public key 'Q' (a point). The relationship is Q = x*G, > where G is the base point. > >> DH parameters contained randomly changing data. ECDH, for key exchange, only >> needs specified curve and nothing else? > During key establishment, ephemeral keys (throw away public and > private keys) will be used. > > If you want to generate a private key, try: > $ openssl ecparam -name secp256k1 -genkey -param_enc explicit -outform > DER -out ec-openssl.der > > To get the public key: > $ openssl ecparam -param_enc explicit -name secp256k1 -genkey -outform > PEM -out ec-openssl.pem > $ openssl ec -param_enc explicit -inform PEM -in ec-openssl.pem > -pubout -outform DER -out ec-openssl.der > > Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
