> From: [email protected] On Behalf Of John Foley > Sent: Thursday, 11 August, 2011 15:10
> Is there a known bug with ECDH_RSA key exchange cipher suites in > 0.9.8r? For instance, using cipher suite ECDH-RSA-AES128-SHA > in 0.9.8r > does not work. But it does work in 1.0.0d. This is tested using the > following command: > > ssltest -tls1 -cert servercert.pem -key serverkey.pem -cipher > ECDH-RSA-AES128-SHA > > The certificate is an ECC cert signed by an RSA root. <snip> Looking at 0.9.8 ssl_set_cert_mask there is a limitation which is certainly surprising (and not to my recollection documented), whether or not we call it a bug. It allows kECDHr only if the cert is signed with md2+RSA md4+RSA or md5+RSA, nothing else. In particular not sha1+RSA which your posted cert is. I tested with an md5+RSA cert and it works. But in about the past 3 years md5+anything certs are easily forgeable at least sometimes, so they don't reliably give you authentication, and if you don't need authentication you could just use anon-ECDH which also works. 1.0.0 allows any cert sig alg whose name includes "WithRSA". Adjacent in the code, 1.0.0 like 0.9.8 allows kECDH*e* only for cert signed ECDSA+SHA1, though 1.0.0 otherwise handles ECDSA+SHA2family. That probably needs a similar upgrade. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
