Both of those are using an RSA certificate; DHE or ECDHE is key-exchange only
not authentication. However the servers must configure *parameters* for "temp DH" and "temp ECDH" respectively; do they? For ECDHE the parameters must use one of the (named) curves specified by the client; openssl client supports all named curves, but other clients like browsers might not. Is the second server on not-very-recent RedHat or CentOS? Until late 2013, RedHat openssl packages disabled all elliptic curve crypto due to what they called legal concerns. Everyone believes this meant the Certicom patents, although I don't think they ever confirmed it. From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Walter H. Sent: Sunday, August 10, 2014 02:39 To: openssl-users@openssl.org Cc: Dr. Stephen Henson Subject: ECDSA Certificate On 08.08.2014 02:11, Dr. Stephen Henson wrote: Well maybe, maybe not. Just because a ciphersuite is included in the cipherlist doesn't mean it is included or could be selected. For example if you set a ciphersuite which uses ECDSA authentication it wont be selected if the server doesn't include an ECDSA certificate. can you please give an example of an ECDSA certificate, Thanks I'm asking this, because one Web-Server connects with SSL_CIPHER=ECDHE-RSA-AES256-GCM-SHA384 and one with SSL_CIPHER=DHE-RSA-AES256-GCM-SHA384 both with the same client; and both Web-Server (Apache) have this SSLCipherSuite RC4-SHA:RC4-MD5:HIGH:MEDIUM:!ADH:!DSS:!SSLv2:+3DES -- Greetings, Walter