Ecdsa and rsa certificates


#1

I am not an openssl, so please don’t mind if I ask something stupid.

I am worried, that if I use ecdsa certs (which I have not tried yet), all browsers will still be able to reach my website ?

As far as I know, I cannot use a dual (ecdsa + rsa) cert’ conf, because my webserver is not sophisticated enough (it doesn’t support SNI), or I should use a proxy (like haproxy). So I have to use an ecdsa or rsa.

I see there is use of rsa ciphers in articles describing ecdsa implementations. What does it mean ? Can I still use rsa with ecdsa certs (and therefor still be reachable by everyone) ?

Thanks for the info.


#2

This site lists OS/browser support for ECC keys. Generally, you’re fine with all modern browsers. If you care about XP or older Android releases, this might become a problem.

SNI isn’t related to this topic at all. It’s possible for web servers to be configured with multiple certificates of different types and use them based on what the client supports. Apache supports this since version 2.4, more details here: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile
Nginx supports the same thing since 1.11.0, which was released a couple of days ago.

The compatibility issues you could run into with ECDSA certificates are due to the certificate type, not the ciphers. Basically, either the client supports ECDSA certificates or not - ciphers won’t really matter in this equation. Your best bet would be to use both certificate types.


#3

Actually, the cipher suite includes the authentication method (of the certificate)…


#4

That might explain the thing.


#5

I use openbsd’s httpd, which I don’t know if it support several cert’s. And I know for sure it does not support sni.


#6

Isn’t that a fork of Apache? Somebody else commented on that in an earlier thread and I think it was a version of Apache 2.4.8 or similar.

Are you sure it doesn’t support SNI? That doesn’t sound right.


#7

Openbsd’s httpd is actually a use of their web-relaying daemon. AFAIK, it is not related in any manner to Apache. It is wished that it stay small, with focus on easy conf’ and low use of extra options. So no surprise SNI is not supported, but on the features requests list since quite a time : https://github.com/reyk/httpd/issues

The first Openbsd httpd (called this way in the system and on forums) is actually an old Apache version (1.3 maybe). It was suppressed from the system. One has to install Apache specifically if needed.


#8

You’re correct, I had no idea! After I wrote my above post I Binged OpenBSD’s httpd and found this interesting read. I’m on FreeBSD, and I always thought we had more in common that we apparently do!

I also found this. It might help you work around a lack of SNI:

> OpenBSD httpd :) If you need to serve more than one website over
> HTTPS without SNI, just add the extra domains into the main
> certificate SAN.

Good luck!


#9

I didn’t say anything else! :smile:

It’s just that it doesn’t matter for compatibility, as your browser would either support ECDSA keys or not. Enabling RSA ciphers isn’t going to make clients that don’t support ECDSA work with ECDSA-only web servers.


#10

True true, all true. But if you’d specify only RSA ciphers on your webserver and try to serve an ECDSA certificate, in theory (I haven’t tested it actually) the client can’t connect, even if it’d support ECDSA certificates. But that’s perhaps not really the point of the ‘discussion’ you were having :stuck_out_tongue:


#11

OpenBSD httpd :slight_smile: If you need to serve more than one website over
HTTPS without SNI, just add the extra domains into the main
certificate SAN.

Yes, but I can still serve/use only one cert ! So either rsa or ecdsa.


#12

Well, I still see some XPs in the visitors’ logs of the website, so I might wait a bit.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.