What does it means “changing the curve”?
TLS(SSL) is negotiated in several.. dimensions.
There is the protocol: TLSv1.0, TLSv1.2, TLSv1.2, TLSv1.3
There is the cipher. (Like: ECDHE-RSA-AES256-GCM-SHA384 and ECDHE-RSA-AES128-GCM-SHA256)
There is the curve. (Like: "ECDH, P-384, 384 bits", "ECDH, P-256, 256 bits", "X25519, 253 bits")
All those allowed settings should be defined in the configuration of the web service (Bitwarden in this case) [ and are controlled by the web administrator = you].
I don't know how Bitwarden it configured so I can't help you with the HOW.
But I can safely say that is in a direction with a highly probable positive outcome.
Ok I will contact someone from Bitwarden and ask about the curve
Here is a list of curves supported by OpenSSL v1.1.1 openssl.supported.curves.txt (4.7 KB)
The list may vary depending on the version of OpenSSL (and not all curves are considered “safe”).
You can generate your own list from your system with:
openssl ecparam -list_curves
FWIW, I just discovered that putting a space after the comma in the SAN list drops everything after the space, so:
minica -domains domain1.test, sub1.domain1.test
creates a cert with: Subject Alternative Names: domain1.test,
without a space after the comma it works fine:
minica -domains domain1.test,sub1.domain1.test
creates a cert with: Subject Alternative Names: domain1.test, sub1.domain1.test
This:
is not equal to this:
-domains "domain1.test, sub1.domain1.test"
The first is seen as two separate things:
-domains domain1.test,
sub1.domain1.test
I've updated minica so it will give an informative error in this case. Thanks for reporting!
1 Like
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.