Chris and Mark,
> Am 09.01.2020 um 21:49 schrieb Christopher Schultz > <ch...@christopherschultz.net>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > All, > > On 1/9/20 3:45 PM, Christopher Schultz wrote: >> Mark and Peter, >> >> On 1/9/20 3:36 PM, Mark Thomas wrote: >>> On 09/01/2020 20:22, logo wrote: >>>> Mark, >>>> >>>>> Am 09.01.2020 um 20:36 schrieb Mark Thomas >>>>> <ma...@apache.org>: >>>>> >>>>> On 02/01/2020 09:24, logo wrote: >>>>> >>>>> <snip/> >>>>> >>>>>> The connector comes up correctly, is accessible through >>>>>> the browser but if I test the ssl setup, I get an error >>>>>> message that the key/cert may not be used for "Key >>>>>> agreement" >>>>>> >>>>>> See: testssl.sh <tomcat>:8443 >>>>>> >>>>>> Signature Algorithm ECDSA with SHA256 Server key >>>>>> size EC 256 bits Server key usage Digital >>>>>> Signature, Key Encipherment Certificate incorrectly used >>>>>> for key agreement Server extended key usage TLS Web >>>>>> Server Authentication, TLS Web Client Authentication >>>> >>>> The key usage error is caused by identifying ECDH_RSA ciphers >>>> on the connector… (most certainly an unexpected edge case, >>>> I’ve debugged it that far). That should not be the case - as it >>>> is an ECDSA Cert, right? >> >>> I don't think so. >> >>> I'm seeing ECHD/RSA ciphers in the output and I am not getting >>> that warning. >> >>> My reading of a couple of questions on stack exchange suggests >>> RSA vs DSA ciphers depends on how the CA signs the cert. My test >>> CA signs with RSA. >> Root and Intermediate are RSA-signed. Cert is: Signature Algorithm ECDSA with SHA256 Server key size EC 256 bits >> DSA is almost never used. Nearly 100% of keys in the world are >> plain-RSA or EC. I know of no CA that uses DSA for signing. So >> pretty much every cert you will come across will be EC-with-RSA or >> RSA-with-RSA (that's keytype-with-signature-type). > > Obviously, the above is a mixture of half-truths and irrelevant > information. I was thinking of RSA versus DSA keys, not ECDSA as a > signature algorithm in its own right. Maybe I’m causing a lot of hassle by asking these questions. So far I was happy to get a cert with a key, drop it in the right spot and all worked well. If I stick to RSA that should stay like this. So actually it won’t be a problem of the client - as long as it finds one matching cipher. So for now, we should be fine if an EC-key is supported. Nevertheless I will try to contact Dirk Wetter and ask him if he can explain the finding. Peter > > Carry on... > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4XkdgACgkQHPApP6U8 > pFiJ/xAAudFM0wtuRNTIZy6hHGpwLZ4QX6Z9mbWYBYJ93eId8VKL8jQyHgkGTXyT > OZ2moW+13Grr5zGxo7WgS4EGc1+MKnrBfSY0BwQJwKCwDCJOKTCqMjSybUMrrM7Y > POf/Lwc+KbxTNhMd7KonxpwYOhox6Cu+I0wh/EQl5jsJCDK4VFW9Y7BjywlQsGjI > reYQCEu7Sc98c+x8lw1eb6soAj7cIRzmyf8lofS0eOXW10waesIrZSL+8/QyiGd6 > ku6198xaB4ofGOaeXBOO3L91e/2Kx4oRPd0FQHqe0h/nUp9+YJbOr6ypub9nCuuX > Oq/MAPUv2Abds3mYAAdRNipJmsGmcud3dgJubzmVAQqfoJTCZHtn90p7IBJGK1t0 > 7nCmFCDGdqEYv43v6lBrzc6X5BBMT99c7gZ7pqWq7n2lAmorVNZK3rDkT4wMUjP3 > OO0YapUd2+PyrneBFGb5e6lHvzHGk6sbKTNoeMkcMFAD3S5cE20w79gBruYP3y3B > PlwFIXmYQTGBExIpTxZQziD19yKsavi8tMXWfLHt9yw04a9vIxeQdaSG6sFLQrj7 > ZzyX1q9uhxieyTNNjwaDxhkLpnSJDHelu5SLV32TBr+9OL3426r3cVsivQQlouWD > iAGdB84DMZLj0dINM1Y7XJHe/4FHjoMfnn7ELIiTdYmPm1sLJMQ= > =c/td > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
