I am not an openssl, so please don’t mind if I ask something stupid.
I am worried, that if I use ecdsa certs (which I have not tried yet), all browsers will still be able to reach my website ?
As far as I know, I cannot use a dual (ecdsa + rsa) cert’ conf, because my webserver is not sophisticated enough (it doesn’t support SNI), or I should use a proxy (like haproxy). So I have to use an ecdsa or rsa.
I see there is use of rsa ciphers in articles describing ecdsa implementations. What does it mean ? Can I still use rsa with ecdsa certs (and therefor still be reachable by everyone) ?
This site lists OS/browser support for ECC keys. Generally, you’re fine with all modern browsers. If you care about XP or older Android releases, this might become a problem.
SNI isn’t related to this topic at all. It’s possible for web servers to be configured with multiple certificates of different types and use them based on what the client supports. Apache supports this since version 2.4, more details here: http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile
Nginx supports the same thing since 1.11.0, which was released a couple of days ago.
The compatibility issues you could run into with ECDSA certificates are due to the certificate type, not the ciphers. Basically, either the client supports ECDSA certificates or not - ciphers won’t really matter in this equation. Your best bet would be to use both certificate types.
Openbsd’s httpd is actually a use of their web-relaying daemon. AFAIK, it is not related in any manner to Apache. It is wished that it stay small, with focus on easy conf’ and low use of extra options. So no surprise SNI is not supported, but on the features requests list since quite a time : https://github.com/reyk/httpd/issues
The first Openbsd httpd (called this way in the system and on forums) is actually an old Apache version (1.3 maybe). It was suppressed from the system. One has to install Apache specifically if needed.
You’re correct, I had no idea! After I wrote my above post I Binged OpenBSD’s httpd and found this interesting read. I’m on FreeBSD, and I always thought we had more in common that we apparently do!
I also found this. It might help you work around a lack of SNI:
> OpenBSD httpd :) If you need to serve more than one website over
> HTTPS without SNI, just add the extra domains into the main
> certificate SAN.
It's just that it doesn't matter for compatibility, as your browser would either support ECDSA keys or not. Enabling RSA ciphers isn't going to make clients that don't support ECDSA work with ECDSA-only web servers.
True true, all true. But if you’d specify only RSA ciphers on your webserver and try to serve an ECDSA certificate, in theory (I haven’t tested it actually) the client can’t connect, even if it’d support ECDSA certificates. But that’s perhaps not really the point of the ‘discussion’ you were having
If you need to serve more than one website over