I'm still tinkering with different ciphers and signature algorithms in IBM HTTP Server, as per this: -
and hit this today when attempting to create a self-signed certificate using the SHA256WithECDSA Signature Algorithm: -
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -size 2048 -dn "cn=bpm856.uk.ibm.com,dc=uk,dc=ibm,dc=com" -label bpm856.uk.ibm.com_ss -default_cert yes -sigalg SHA256WithECDSA
CTGSK2041W An unsupported modulus size was found.
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -size 1024 -dn "cn=bpm856.uk.ibm.com,dc=uk,dc=ibm,dc=com" -label bpm856.uk.ibm.com_ss -default_cert yes -sigalg SHA256WithECDSA
CTGSK2041W An unsupported modulus size was found.
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -create -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -size 512 -dn "cn=bpm856.uk.ibm.com,dc=uk,dc=ibm,dc=com" -label bpm856.uk.ibm.com_ss -default_cert yes -sigalg SHA256WithECDSA
[ No Message ]
Yep, it worked, as validated here: -
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -list -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed
Certificates found
* default, - personal, ! trusted, # secret key
! ad2008root
- bpm856.uk.ibm.com
*- bpm856.uk.ibm.com_ss
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -validate -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed
/opt/IBM/HTTPServer/bin/gskcapicmd -cert -details -db /opt/IBM/HTTPServer/ssl/keystore.kdb -stashed -label bpm856.uk.ibm.com_ss
…
Label : bpm856.uk.ibm.com_ss
Key Size : 512
Version : X509 V3
Serial : 71b3dcfd3e00e5d0
Issuer : CN=bpm856.uk.ibm.com,DC=uk,DC=ibm,DC=com
Subject : CN=bpm856.uk.ibm.com,DC=uk,DC=ibm,DC=com
Not Before : 2 June 2016 17:14:00 GMT+01:00
Not After : 3 June 2017 17:14:00 GMT+01:00
…
Key Size : 512
Version : X509 V3
Serial : 71b3dcfd3e00e5d0
Issuer : CN=bpm856.uk.ibm.com,DC=uk,DC=ibm,DC=com
Subject : CN=bpm856.uk.ibm.com,DC=uk,DC=ibm,DC=com
Not Before : 2 June 2016 17:14:00 GMT+01:00
Not After : 3 June 2017 17:14:00 GMT+01:00
…
Signature Algorithm : EC_ecdsa_with_SHA256 (1.2.840.10045.4.3.2)
...
...
I then get deeper into the verification using openssl : -
…
Server Temp Key: ECDH, prime256v1, 256 bits
…
…
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 521 bit
…
Server public key is 521 bit
…
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
…
and SSLSleuth plugin Firefox: -
Cipher suite
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Key exchange: Elliptic curve Diffie-Hellman.
Authentication: ECDSA.
Bulk cipher: AES GCM 128 bits.
HMAC: SHA-256.
Perfect Forward Secrecy: Yes
SSL/TLS Version: TLSv1.2
Connection status: Secure
Certificate
Extended validation: No
Signature: SHA-256/ECDSA
Key: 521 bits ECC
Common name: bpm856.uk.ibm.com
Issued to:
Issued by: bpm856.uk.ibm.com
Validity: 2 June 2016 -- 3 June 2017
Fingerprint: 0F:04:8F:94:F3:0D:72:12:C4:2A: 35:06:C5:6F:BD:17:2A:E1:9F:C9
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Key exchange: Elliptic curve Diffie-Hellman.
Authentication: ECDSA.
Bulk cipher: AES GCM 128 bits.
HMAC: SHA-256.
Perfect Forward Secrecy: Yes
SSL/TLS Version: TLSv1.2
Connection status: Secure
Certificate
Extended validation: No
Signature: SHA-256/ECDSA
Key: 521 bits ECC
Common name: bpm856.uk.ibm.com
Issued to:
Issued by: bpm856.uk.ibm.com
Validity: 2 June 2016 -- 3 June 2017
Fingerprint: 0F:04:8F:94:F3:0D:72:12:C4:2A: 35:06:C5:6F:BD:17:2A:E1:9F:C9
which is nice.
No comments:
Post a Comment