RE: ECDH-RSA and TLS 1.2

2012-11-08 Thread Abhiram Shandilya
Abhi From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Jakob Bohm [jb-open...@wisemo.com] Sent: Tuesday, November 06, 2012 1:34 AM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On 11/5/2012 1:37 AM, Je

Re: ECDH-RSA and TLS 1.2

2012-11-06 Thread Jakob Bohm
On 11/5/2012 1:37 AM, Jeffrey Walton wrote: On Sun, Nov 4, 2012 at 7:15 PM, wrote: On 02-11-2012 21:46, Jeffrey Walton wrote: On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm wrote: (continuing TOFU posting to keep the thread somewhat consistent) Given some of the mathematical restrictions on

Re: ECDH-RSA and TLS 1.2

2012-11-04 Thread Jeffrey Walton
On Sun, Nov 4, 2012 at 7:15 PM, wrote: > On 02-11-2012 21:46, Jeffrey Walton wrote: >> >> On Fri, Nov 2, 2012 at 4:30 PM, Jakob Bohm wrote: >>> >>> (continuing TOFU posting to keep the thread somewhat consistent) >>> >>> Given some of the mathematical restrictions on parameters needed to >>> kee

Re: ECDH-RSA and TLS 1.2

2012-11-04 Thread jb-openssl
From: Erik Tkal Sent: Friday, November 02, 2012 8:24 AM To: openssl-users@openssl.org Subject: RE: ECDH-RSA and TLS 1.2 What if the server has an ECDH certificate? Would that then be the appropriate set of suites? -Original Message- From: Dr. Stephen Henson Sent: Thursday, November 01, 2

Re: ECDH-RSA and TLS 1.2 [AESGCM]

2012-11-04 Thread Dr. Stephen Henson
On Fri, Nov 02, 2012, Dave Thompson wrote: > > From: owner-openssl-us...@openssl.org On Behalf Of Abhiram Shandilya > > Sent: Thursday, 01 November, 2012 21:31 > > -dev added > > > I configured my openssl RSA CA to add the key usage extension > > for key agreement to the ECC certificate but eve

RE: ECDH-RSA and TLS 1.2 [AESGCM]

2012-11-02 Thread Dave Thompson
> From: owner-openssl-us...@openssl.org On Behalf Of Abhiram Shandilya > Sent: Thursday, 01 November, 2012 21:31 -dev added > I configured my openssl RSA CA to add the key usage extension > for key agreement to the ECC certificate but even then it > does not work. Pre-TLS 1.2 cipher suites such

Re: ECDH-RSA and TLS 1.2

2012-11-02 Thread Jeffrey Walton
>> >> I thought the keys in ECC certificates can be used for both ECDH key >> agreement and ECDSA digital signature. >> >>> -Original Message- >>> From: Erik Tkal >>> Sent: Friday, November 02, 2012 8:24 AM >>> To: openssl-users@openssl.

Re: ECDH-RSA and TLS 1.2

2012-11-02 Thread Jakob Bohm
Sent: Friday, November 02, 2012 8:24 AM To: openssl-users@openssl.org Subject: RE: ECDH-RSA and TLS 1.2 What if the server has an ECDH certificate? Would that then be the appropriate set of suites? -Original Message- From: Dr. Stephen Henson Sent: Thursday, November 01, 2012 10:38

RE: ECDH-RSA and TLS 1.2

2012-11-02 Thread Abhiram Shandilya
@openssl.org Subject: RE: ECDH-RSA and TLS 1.2 What if the server has an ECDH certificate? Would that then be the appropriate set of suites? Erik Tkal Juniper OAC/UAC/Pulse Development -Original Message- From: owner-openssl-us...@openssl.org

Re: ECDH-RSA and TLS 1.2

2012-11-02 Thread Billy Brumley
> Well one reason is that the fixed ECDH cipher suites do not support forward > secrecy because they always use the same ECDH key. ECDHE cipher suites as implemented in OpenSSL don't necessarily support forward secrecy either. I wonder what it takes to get SSL_OP_SINGLE_ECDH_USE option by default

RE: ECDH-RSA and TLS 1.2

2012-11-02 Thread Erik Tkal
Of Dr. Stephen Henson Sent: Thursday, November 01, 2012 10:38 PM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On Fri, Nov 02, 2012, Abhiram Shandilya wrote: > Hi Steve, Thanks for your response. I'm just trying to figure out what > it takes to get this working - are

Re: ECDH-RSA and TLS 1.2

2012-11-01 Thread Dr. Stephen Henson
On Fri, Nov 02, 2012, Abhiram Shandilya wrote: > Hi Steve, Thanks for your response. I'm just trying to figure out what it > takes to get this working - are you of the opinion that an SSL server should > not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why? > Well one reason is

RE: ECDH-RSA and TLS 1.2

2012-11-01 Thread Abhiram Shandilya
sl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, November 01, 2012 4:40 AM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On Thu, Nov 01, 2012, Abhiram Shandilya wrote: > I ran openssl s_server with an ECC certificate signed by an RSA Root CA. When > I try to co

Re: ECDH-RSA and TLS 1.2

2012-11-01 Thread Dr. Stephen Henson
On Thu, Nov 01, 2012, Abhiram Shandilya wrote: > I ran openssl s_server with an ECC certificate signed by an RSA Root CA. When > I try to connect using s_client and a TLS 1.2 ECDH-RSA cipher suite (eg > ECDH-RSA-AES128-SHA256 or ECDH-RSA-AES128-GCM-SHA256), the connection fails > with s_server

ECDH-RSA and TLS 1.2

2012-10-31 Thread Abhiram Shandilya
I ran openssl s_server with an ECC certificate signed by an RSA Root CA. When I try to connect using s_client and a TLS 1.2 ECDH-RSA cipher suite (eg ECDH-RSA-AES128-SHA256 or ECDH-RSA-AES128-GCM-SHA256), the connection fails with s_server printing the following error: "3086918464:error:1408A0C1