Server doesn't support ECDSA certificates

Question

Server doesn't support ECDSA certificates

Closed this issue a year ago · 4 comments

Whenever I use an ECDSA certificate on my server, all connections fail, and it logs the message HandshakeFailed (Error_Protocol ("credential not found",True,HandshakeFailure)).

Steps to reproduce:

Run this command to generate an RSA keypair: openssl req -x509 -newkey rsa:4096 -keyout rsa.key -out rsa.crt -days 365 -nodes -subj '/CN=localhost'
Run an hs-tls server using that RSA keypair, as a control test
Run this command to generate an ECDSA keypair: openssl req -x509 -newkey ec -pkeyopt ec_paramgen_curve:secp384r1 -pkeyopt ec_param_enc:named_curve -keyout ecdsa.key -out ecdsa.crt -days 365 -nodes -subj '/CN=localhost'
Run the same hs-tls server using all the same settings, except for now using the ECDSA keypair

Answer 1 · 2020-02-29T07:44:26.000Z

Implementation exists but waiting for the crypto part.
P-256 should come with cryptonite-0.27 if all goes well.

Answer 2 · 2020-07-08T05:43:46.000Z

Support for P-256 added in #436.

Answer 3 · 2020-10-30T01:18:00.000Z

Just want to note that this issue persists.
My setup has acme/letsencrypt issue ECDSA certificates and I'm using tls-1.5.4 and cryptonite-0.27 and I get the same error.

Answer 4 · 2023-12-22T03:52:21.000Z

I confirmed that tls-simpleserver can communicate well with openssl s_client with the following settings:

% openssl ecparam -out ec_key.pem -name secp256r1 -genke
% openssl req -new -key ec_key.pem -x509 -nodes -days 3650 -out ec_cert.pem