-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark and Peter,
On 1/9/20 3:36 PM, Mark Thomas wrote: > On 09/01/2020 20:22, logo wrote: >> Mark, >> >>> Am 09.01.2020 um 20:36 schrieb Mark Thomas <ma...@apache.org>: >>> >>> On 02/01/2020 09:24, logo wrote: >>> >>> <snip/> >>> >>>> The connector comes up correctly, is accessible through the >>>> browser but if I test the ssl setup, I get an error message >>>> that the key/cert may not be used for "Key agreement" >>>> >>>> See: testssl.sh <tomcat>:8443 >>>> >>>> Signature Algorithm ECDSA with SHA256 Server key >>>> size EC 256 bits Server key usage >>>> Digital Signature, Key Encipherment Certificate incorrectly >>>> used for key agreement Server extended key usage TLS Web >>>> Server Authentication, TLS Web Client Authentication >> >> The key usage error is caused by identifying ECDH_RSA ciphers on >> the connector… (most certainly an unexpected edge case, I’ve >> debugged it that far). That should not be the case - as it is an >> ECDSA Cert, right? > > I don't think so. > > I'm seeing ECHD/RSA ciphers in the output and I am not getting that > warning. > > My reading of a couple of questions on stack exchange suggests RSA > vs DSA ciphers depends on how the CA signs the cert. My test CA > signs with RSA. DSA is almost never used. Nearly 100% of keys in the world are plain-RSA or EC. I know of no CA that uses DSA for signing. So pretty much every cert you will come across will be EC-with-RSA or RSA-with-RSA (that's keytype-with-signature-type). > key usage and extended key usage are properties of the certificate. > My understanding is that the cipher doesn't play a role here. +1 - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4XkMsACgkQHPApP6U8 pFjECA/8CBx2d+AoQ8zi4rkatrow7c0VuzY/FVGS9nbwtevsiPhV6JXHPwarT1iX WWQta+brIbNf6LHBjC1UpkCpJpoumgNPpmwofv5+gTj1dbhnpLhsWEZaiHYRPQ7Y 90Q5JbdnvSJZOdupbY+swtw9V/8yJt+D3VFdaUAchSibPKyYReGWr0ctMlRwmH7S h+qGTrxfAxff8CCnw6upeDnMnN1LznPFut3UJT1OCQ/H92IXXvmK652oyU6SjZ3A t47Yyuj/DvXN6CHVQouM4J5W2uxujOFJGLpqRxZ73EyThrRwijN/FtWBD51LPCk4 BpXYNA6Epobd9TnYZDt638WW0HOrkzh15a37kzD4ONGGJEJMVW65uqram7UMVnIY I2QoKYRM+3PZfrUFl1Elaspy2rFfUJiLdtWscRE207tmYN4smW24DnwuxQNKWYCn 6SMvVPzzmfPY4oNXwKNhO+ZGaLHAdezQUyD5jpgu1AFB0iztrWTc5Gm+b2v2B+/Q rwAn63NhKaG10jrmTrqoMeVDNkBPOGHiQL6mf730TsvD12WfojwP2IgVrSv3j+RY 27dhoR3OGQGFldq/lHVJ22awEGvdDc82gQzt3RvbMiSdcp/hikrTE4xbdEQFpdps 1piz2DnIwdMMQiAdCCucem52kv1CRFJUWgsBMLiRE0nIuRSrMGA= =oqwA -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
