ECDSA testing on staging

tlussnig · January 17, 2016, 8:08pm

I check the list and there are 4 points to mention:

Openssl 1.0.2d works for my side so i ask what version is used for reference.
Java 1.8 works to with the unlimited policy file
Too support more browsers i would need to add TLS 1.0 because none of the unsupported use TLS 1.1

As you said there are alternatives Firefox, Chrome, i could even enable these browsers based on ClientHello fingerprint but why should i do? The page is more for personal interest and to give people who are interested some information but other than for company’s there is no reason for me to support old systems.

tlussnig · January 17, 2016, 8:10pm

P521 is not supported because MS does not support it

My1 · January 17, 2016, 8:12pm

For Firefox you don’t even need anything special because every relatively recent ff version does tls 1.2, ec and sha2 certs. That’s the good thing it even let’s users of xp browse with good security because unlike chrome or opera (chrome doesnt even support xp anymore) Firefox has its own crypto stuff (iirc it was named nss)

Osiris · January 17, 2016, 8:12pm

And Chrome…

T917820981726 · January 17, 2016, 8:24pm

Hi,
I’m trying to get an ECDSA certificate from staging by creating an ECDSA CSR and then using the LetsEncrypt client, but it seems I only get the following error:
An unexpected error occurred: The request message was malformed :: Error creating new cert :: Invalid signature algorithm in CSR

Doing the same CSR againt the live version however, I get the (expected) The request message was malformed :: Invalid key in certificate request :: ECDSA curve P-256 not allowed error.

I used this commands to create the CSR and submit it:
$ openssl ecparam -out privkey1.pem -name prime256v1 -genkey $ openssl req \ -new -key privkey1.pem -nodes \ -out signreq.der -outform der \ -subj "/CN=example.org" \ -reqexts SAN \ -config my-openssl.cnf $ ./letsencrypt-auto certonly \ --staging --register-unsafely-without-email \ --authenticator manual \ --text \ --csr signreq.der
(substituted the domain name with example.org) and used a my-openssl.cnf file containing the subjectAltName.

What am I doing wrong?
Thanks!

My1 · January 17, 2016, 8:26pm

Chrome’s crypto uses the os, so whatever ms doesn’t do, chrome won’t do either.

Osiris · January 17, 2016, 8:28pm

And doesn’t support secp521r1, whatever the OS.

Osiris · January 17, 2016, 8:29pm

You might try to add -sha256 to your openssl req ... command. Although I just made a CSR without that switch and it was signed with ecdsa-with-SHA256 also… Perhaps your OpenSSL has different defaults… You could always check the signature algorithm with openssl req -noout -text -inform der <signreq.der

My1 · January 17, 2016, 8:33pm

But why doesn’t it do 521?

eva2000 · January 17, 2016, 8:37pm

maybe http://security.stackexchange.com/questions/100991/why-is-secp521r1-no-longer-supported-in-chrome-others ?

T917820981726 · January 17, 2016, 8:41pm

Thanks, that worked! With -sha256 the certificate has been generated successfully.
(I should have checked the command I used for generating an RSA CSR to notice it had -sha256 while the one for ECDSA didn’t have it )

My1 · January 17, 2016, 8:52pm

too bad. EC iirc needs double the bits of a symmetric key to provide the same security and I would love to provide seamless 256-bit strong stuff, that’s why my personal RSA key is 16k.

tlussnig · January 17, 2016, 9:10pm

Equal if P521 or not i am now waiting when the new EC-Type will go to production.
Because since i having HSTS activated i can check it via ssllabs but not with web browsers.
So it is nice that i new keytype work with my client implementation but without trusted in the browsers
it does not help. It is no more than using an self singed certificate.

Jason · February 1, 2016, 9:34pm

@jsha Why is it "intended" for P-521 not to work?

tlussnig · February 1, 2016, 9:45pm

To make it short they do not like it.

jsha · February 6, 2016, 3:16am

Staging is updated with the latest configs and is issuing with the correct keyUsages.

Osiris · February 6, 2016, 8:25am

Yes indeed, confirmed for ECDSA public key:

    X509v3 extensions:
        X509v3 Key Usage: critical
            Digital Signature
        X509v3 Extended Key Usage:

But with a RSA public key:

    X509v3 extensions:
        X509v3 Key Usage: critical
            Digital Signature, Key Encipherment
        X509v3 Extended Key Usage:

And confirmed proper behaviour in Chrome

Yay On to the release branch! (And must-staple is almost ready too! )

My1 · February 6, 2016, 11:07am

why is key encipherment just for RSA but not ECDSA?
(edit when my fingers are faster than my brain)

janitor · February 6, 2016, 12:03pm

[quote=“My1, post:59, topic:8809”]
for RSA but not RSA?
[/quote] You meant ECDSA, presumably.

keyEncipherment means something that is only possible with RSA certificates, it doesn’t exist for ECDSA or DSA certificates. (And incidentally, said RSA key exchange is non-PFS anyway and for that reason (EC)DHE is preferred, just using the RSA key for signing the exchange.)

T917820981726 · February 6, 2016, 12:34pm

Nice! I also just used an P-256 ECDSA CSR with the Staging Server and got a certificate containing only the Digital Signature (0x80) flag for Key Usage.

Can’t wait until this goes into production, so I can finally use AES_GCM (AEAD) instead of obsolete AES_CBC ciphers for Windows Server 2012R2 with IIS and for the Win7/8 clients using IE connecting to it (because SChannel on Windows before Win10/Server2016 supports TLS_ECDHE_ECDSA_WITH_AES_GCM, but not TLS_ECDHE_RSA_WITH_AES_GCM…)