ECDHE key exchange with TLSv1

Calomel Org kepler at calomel.org
Wed Jul 14 22:13:07 MSD 2010 

I tried a few variations to get ECC keys working with Nginx. Most
likely Nginx does not yet support ECC key exchanges yet.

Firefox, Chrome, Safari and IE8 do support ECC ciphers. The
about:config in Firefox shows "security.ssl3.ecdhe_ecdsa_aes_256_sha"
for example.


For future reference,

The build environment:
 Nginx v0.8.45 (built and linked against openssl v1.0.0.a)
 Openssl v1.0.0.a 

The ECC ciphers are available according to the cipher list:
openssl ciphers -tls1 -v 'HIGH:!ADH:!MD5:@STRENGTH' | grep 256 | grep ECDH
ECDHE-RSA-AES256-SHA   SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256) Mac=SHA1
AECDH-AES256-SHA       SSLv3 Kx=ECDH     Au=None Enc=AES(256) Mac=SHA1
ECDH-RSA-AES256-SHA    SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256) Mac=SHA1
ECDH-ECDSA-AES256-SHA  SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256) Mac=SHA1


I am not sure if this is right format for Nginx and the ssl_dhparam
directive, but I was able to generate a ECC key using:
 openssl ecparam -genkey -name secp521r1 -out eckey.pem | /
 openssl ec -aes128 -out EC-newkey.pem

This is the s_client test used from another machine also using openssl
v1.0.0.a:
 openssl s_client -connect hostname.com:443 -cipher ECDHE-ECDSA-AES256-SHA


Anyone is interested in more information about ECC could start with,
Elliptical Curves suggest the most modern concepts of cryptography
http://blog.taragana.com/index.php/archive/mathematical-theory-of-elliptic-curves-may-help-strengthen-it-security/


If anyone sees a problem or has a solution to this setup please mail
me. Igor, I would be happy to do any tests.

--
   Calomel @ https://calomel.org
   Open Source Research and Reference


On Fri, Jul 09, 2010 at 04:10:07PM -0400, Calomel Org wrote:
>Does Nginx support the elliptic curve cryptography ciphers like
>ECDHE-ECDSA-AES256-SHA available through OpenSSL v1.0.0a ?
>
>
>I have built OpenSSL v1.0.0a and placed it in a separate directory. I
>then built nginx with --with-cc-opt="-I /path_openssl/include/"
>--with-ld-opt="-L /path_openssl/lib/" and it builds fine.
>
>Nginx.conf has the following for SSL:
>
>     ## SSL Certs
>      ssl on;
>      ssl_certificate /ssl/host.com_ssl.crt; 
>      ssl_certificate_key /ssl/host_ssl.key; 
>      ssl_ciphers ECDHE-ECDSA-AES256-SHA:AES256-SHA;
>     #ssl_dhparam /ssl/host_dh.pem;
>      ssl_prefer_server_ciphers on;
>      ssl_protocols TLSv1;
>      ssl_session_cache shared:SSL:1m;
>      ssl_session_timeout 5m;
>
>
>The daemon starts up correctly, but clients will only negotiate their
>SSL connection as AES256-SHA. 
>
>Does "ssl_dhparam" need a PEM string? Any examples?
>
>
>
>BTW, I found another post in the archives where Maxim Dounin said
>support was not available as of October 2009.
>
>Build error --with-debug; ECDHE key exchange TLS problem.[nginx 0.7.62]
>http://forum.nginx.org/read.php?2,11737,11737
>
>--
>   Calomel @ https://calomel.org
>   Open Source Research and Reference
>
>
>
>_______________________________________________
>nginx mailing list
>nginx at nginx.org
>http://nginx.org/mailman/listinfo/nginx

More information about the nginx mailing list