ECDSA certificate not NIST/HIPAA compliant?

BFeely · October 15, 2016, 12:15am

I have been running the https://www.htbridge.com/ssl tests on my server, which has a P-384 ECDSA certificate alongside a 4096-bit traditional RSA certificate, on nginx 1.11.x. It states that “The ECDSA certificate provided has not been signed using the proper algorithm according to NIST guidelines.” with a similar message for the new HIPAA test.
Is this because my EC certificate is 384 rather than 256 bits, or because it is signed against a RSA intermediate, or is it a bug in the htbridge.com tests?
When I remove the EC certificate and let the test see only the RSA-4096 certificate, the test passes fine and displays compliant with PCI-DSS, HIPAA, and NIST, instead of only PCI-DSS. The domain I tested uses SNI, but the same behavior occurs with my main, non-SNI domain.

jtl · October 15, 2016, 2:16am

I've seen things like that in the past (with RSA key size and TLS versions) but I'd need the NIST guidelines in question.

Well it was with the above test too.

ahaw021 · October 16, 2016, 5:02am

Hi BFeely

Most likely reason is your TLS cipher selection.

The cert and key are within NIST Guidelines.

Below are the Ciphers I have enabled on my server got get PCI-DSS compliance.

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

You can use this tool to generate a NGINX config for you: https://mozilla.github.io/server-side-tls/ssl-config-generator/

The NIST Publication HTBridge Tests against can be found here: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf

You can also run a test with ssllabs.com

BFeely · October 16, 2016, 12:29pm

As mentioned, it was only my certificate that prevented the HTBridge test from marking as HIPAA or NIST. All other points in the same test came up green, and it came up all green on the PCI-DSS test, and gave an A+ rating.
The SSL Labs test gives an A+ rating too.

EDIT 12/10: It appears that HTBridge does not certify EC certificates that are signed against a RSA intermediate.

system · November 15, 2016, 12:32pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.