2

I am attempting to configure my Apache Traffic Server to use ECDSA cert/key. However, I got the following error message when connecting with openssl s_client

 routines:SSL23_GET_SERVER_HELLO:sslv 3 alert handshake

and if I attempt to connect it directly with Firefox I am prompted that no common cipher is available.

I am pretty sure that the certs/keys are generated correctly as I was able to establish a connection with the same cert/key with openssl s_server and openssl s_client.

So that makes me wondering if I need to compile ATS specially to make use of ECDSA certificates.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
Isaac Kwan
  • 61
  • 6
  • What about attempting to connect to Traffic Server's SSL listener with `openssl s_client`? That'll tell us whether the client or the server is the one having a problem. There shouldn't be a need to recompile, but then again I'm not seeing anything in the Traffic Server docs about changing the cipher suite, just protocol version. – Shane Madden Jul 07 '12 at 05:43
  • @shane-madden Tested, and the result is here: https://www.box.com/shared/d9e113be090c52d61c78 (sorry on mobile and can't do copy-and-paste) The documentation online is partially outdated. There is one option to set ciphers and I've set to ECDHE-ECDSA-RC4-SHA with server honour cipher(I don't know what's the term?) turned on. Both server and client support this cipher as tested in the s_server and s_client test. – Isaac Kwan Jul 07 '12 at 07:27
  • By the way, if I use a RSA certificate instead everything runs smoothly. – Isaac Kwan Jul 07 '12 at 07:32
  • Sounds like I can't mention you, so @ShaneMadden – Isaac Kwan Jul 07 '12 at 09:45

1 Answers1

1

Sounds like yes.

A quick Googling turns out this post which pointed out that "this requires elliptic curve to be specified to use for ephemeral ECDH keys" and thus if you are going to use a ECDSA, you will need the software to specially support it.

Isaac Kwan
  • 61
  • 6