3

I have many ssl certificates. On one of the certificates I run the command openssl x509 -in cert.pem -text -noout it shows:

Signature Algorithm: ecdsa-with-SHA256
Public Key Algorithm: id-ecPublicKey

Based on the info from the certicate , how can I get the list of all possible ciphers which can be used with the particular certificate ?

-addn : https://www.rfc-editor.org/rfc/rfc5246#section-7.4.2

Community
  • 1
harsh3547
  • 33
  • 4

1 Answers1

3

Signature Algorithm: ecdsa-with-SHA256

This is irrelevant for the choice of cipher.

Public Key Algorithm: id-ecPublicKey

Since this is an ECC key you can use all ciphers which use ECDSA for authentication or the TLS 1.3 ciphers which are not specific to the key algorithm. Similar with an RSA key you can use all ciphers which use RSA for authentication or TLS 1.3 ciphers:

$ openssl ciphers -V ALL | grep -E 'Au=(ECDSA|any)'
$ openssl ciphers -V ALL | grep -E 'Au=(RSA|any)'

Note that above command also includes insecure ciphers, i.e. you might want to replace ALL with HIGH to get only the more secure ones.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • In theory depending on keyUsage you could also do ECDH(static)_ECDSA for 1.1 or lower and _either for 1.2, but those are rarely used and often not implemented. And all this is only through TLS1.2; for 1.3 the ciphersuite no longer contains the keyexchange and auth methods and is independent of the cert&key. – dave_thompson_085 Apr 18 '19 at 05:15
  • @dave_thompson_085: thanks for pointing out that TLS 1.3 ciphers don't specify the authentication. I've adapted the answer. – Steffen Ullrich Apr 18 '19 at 07:38
  • @SteffenUllrich could you point me to a document where it mentions , how many types of Public Key Algorithm: exists ? Thanks – harsh3547 Apr 23 '19 at 06:53
  • @SteffenUllrich:: actually i asked this question because i used a certificate for my server and fiddled around with ssl_ciphers in nginx and lost connectivity to my server through the browser. – harsh3547 Apr 23 '19 at 06:55
  • @harsh3547: *"...could you point me to a document where it mentions , how many types of Public Key Algorithm: exists ? ..."* - 1. please stay within your original question. 2. I don't know of such an all-encompassing document 3. Practically relevant today are ECC and RSA only. – Steffen Ullrich Apr 23 '19 at 07:12
  • @harsh3547: *"actually i asked this question because i used a certificate for my server and fiddled around with ssl_ciphers in nginx and lost connectivity to my server through the browser"* - you can add ECDSA ciphers to `ssl_ciphers` even if you use a RSA key. They do not harm in any way, i.e. they will simply not be used. Thus you don't need to setup `ssl_ciphers` to fit your specific certificate. – Steffen Ullrich Apr 23 '19 at 07:14
  • @SteffenUllrich thanks a lot – harsh3547 Apr 23 '19 at 09:08
  • https://tools.ietf.org/html/rfc5246#section-7.4.2 -- for a better understanding ( only for TLS1.2 protocol ) – harsh3547 Apr 23 '19 at 12:38