I check the list and there are 4 points to mention:
Openssl 1.0.2d works for my side so i ask what version is used for reference.
Java 1.8 works to with the unlimited policy file
Too support more browsers i would need to add TLS 1.0 because none of the unsupported use TLS 1.1
As you said there are alternatives Firefox, Chrome, i could even enable these browsers based on ClientHello fingerprint but why should i do? The page is more for personal interest and to give people who are interested some information but other than for companyâs there is no reason for me to support old systems.
For Firefox you donât even need anything special because every relatively recent ff version does tls 1.2, ec and sha2 certs. Thatâs the good thing it even letâs users of xp browse with good security because unlike chrome or opera (chrome doesnt even support xp anymore) Firefox has its own crypto stuff (iirc it was named nss)
Hi,
Iâm trying to get an ECDSA certificate from staging by creating an ECDSA CSR and then using the LetsEncrypt client, but it seems I only get the following error: An unexpected error occurred: The request message was malformed :: Error creating new cert :: Invalid signature algorithm in CSR
Doing the same CSR againt the live version however, I get the (expected) The request message was malformed :: Invalid key in certificate request :: ECDSA curve P-256 not allowed error.
I used this commands to create the CSR and submit it: $ openssl ecparam -out privkey1.pem -name prime256v1 -genkey $ openssl req \ -new -key privkey1.pem -nodes \ -out signreq.der -outform der \ -subj "/CN=example.org" \ -reqexts SAN \ -config my-openssl.cnf $ ./letsencrypt-auto certonly \ --staging --register-unsafely-without-email \ --authenticator manual \ --text \ --csr signreq.der
(substituted the domain name with example.org) and used a my-openssl.cnf file containing the subjectAltName.
You might try to add -sha256 to your openssl req ... command. Although I just made a CSR without that switch and it was signed with ecdsa-with-SHA256 also⌠Perhaps your OpenSSL has different defaults⌠You could always check the signature algorithm with openssl req -noout -text -inform der <signreq.der
Thanks, that worked! With -sha256 the certificate has been generated successfully.
(I should have checked the command I used for generating an RSA CSR to notice it had -sha256 while the one for ECDSA didnât have it )
too bad. EC iirc needs double the bits of a symmetric key to provide the same security and I would love to provide seamless 256-bit strong stuff, thatâs why my personal RSA key is 16k.
Equal if P521 or not i am now waiting when the new EC-Type will go to production.
Because since i having HSTS activated i can check it via ssllabs but not with web browsers.
So it is nice that i new keytype work with my client implementation but without trusted in the browsers
it does not help. It is no more than using an self singed certificate.
Nice! I also just used an P-256 ECDSA CSR with the Staging Server and got a certificate containing only the Digital Signature (0x80) flag for Key Usage.
Canât wait until this goes into production, so I can finally use AES_GCM (AEAD) instead of obsolete AES_CBC ciphers for Windows Server 2012R2 with IIS and for the Win7/8 clients using IE connecting to it (because SChannel on Windows before Win10/Server2016 supports TLS_ECDHE_ECDSA_WITH_AES_GCM, but not TLS_ECDHE_RSA_WITH_AES_GCMâŚ)