ECDHE key exchange with TLSv1
kepler at calomel.org
Wed Jul 14 22:13:07 MSD 2010
I tried a few variations to get ECC keys working with Nginx. Most
likely Nginx does not yet support ECC key exchanges yet.
Firefox, Chrome, Safari and IE8 do support ECC ciphers. The
about:config in Firefox shows "security.ssl3.ecdhe_ecdsa_aes_256_sha"
For future reference,
The build environment:
Nginx v0.8.45 (built and linked against openssl v1.0.0.a)
The ECC ciphers are available according to the cipher list:
openssl ciphers -tls1 -v 'HIGH:!ADH:!MD5:@STRENGTH' | grep 256 | grep ECDH
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
AECDH-AES256-SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
ECDH-RSA-AES256-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDH-ECDSA-AES256-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1
I am not sure if this is right format for Nginx and the ssl_dhparam
directive, but I was able to generate a ECC key using:
openssl ecparam -genkey -name secp521r1 -out eckey.pem | /
openssl ec -aes128 -out EC-newkey.pem
This is the s_client test used from another machine also using openssl
openssl s_client -connect hostname.com:443 -cipher ECDHE-ECDSA-AES256-SHA
Anyone is interested in more information about ECC could start with,
Elliptical Curves suggest the most modern concepts of cryptography
If anyone sees a problem or has a solution to this setup please mail
me. Igor, I would be happy to do any tests.
Calomel @ https://calomel.org
Open Source Research and Reference
On Fri, Jul 09, 2010 at 04:10:07PM -0400, Calomel Org wrote:
>Does Nginx support the elliptic curve cryptography ciphers like
>ECDHE-ECDSA-AES256-SHA available through OpenSSL v1.0.0a ?
>I have built OpenSSL v1.0.0a and placed it in a separate directory. I
>then built nginx with --with-cc-opt="-I /path_openssl/include/"
>--with-ld-opt="-L /path_openssl/lib/" and it builds fine.
>Nginx.conf has the following for SSL:
> ## SSL Certs
> ssl on;
> ssl_certificate /ssl/host.com_ssl.crt;
> ssl_certificate_key /ssl/host_ssl.key;
> ssl_ciphers ECDHE-ECDSA-AES256-SHA:AES256-SHA;
> #ssl_dhparam /ssl/host_dh.pem;
> ssl_prefer_server_ciphers on;
> ssl_protocols TLSv1;
> ssl_session_cache shared:SSL:1m;
> ssl_session_timeout 5m;
>The daemon starts up correctly, but clients will only negotiate their
>SSL connection as AES256-SHA.
>Does "ssl_dhparam" need a PEM string? Any examples?
>BTW, I found another post in the archives where Maxim Dounin said
>support was not available as of October 2009.
>Build error --with-debug; ECDHE key exchange TLS problem.[nginx 0.7.62]
> Calomel @ https://calomel.org
> Open Source Research and Reference
>nginx mailing list
>nginx at nginx.org
More information about the nginx