DTLS Server with support for both EC and RSA keys

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

DTLS Server with support for both EC and RSA keys

Suman Paul
Hi,

I have a server that implements DTLS using OpenSSL 1.0.1 but supports only RSA keys as of today. I want to add support to this server to accept EC keys to be able to implement the newer ECDHE-ECDSA cipher suites while retaining support for RSA. Any pointers as to how to go about this?

What I believe is that each kind of key would need a different SSL_CTX object. So I want to switch to the correct context for the SSL session as per the cipher supported by the client (maybe from the cipher list advertised in the ClientHello). Is that the best way of implementing this?

Thanks
Suman

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: DTLS Server with support for both EC and RSA keys

Matt Caswell-2


On 04/02/17 22:23, Suman Paul wrote:

> Hi,
>
> I have a server that implements DTLS using OpenSSL 1.0.1 but supports
> only RSA keys as of today. I want to add support to this server to
> accept EC keys to be able to implement the newer ECDHE-ECDSA cipher
> suites while retaining support for RSA. Any pointers as to how to go
> about this?
>
> What I believe is that each kind of key would need a different
> SSL_CTX object. So I want to switch to the correct context for the
> SSL session as per the cipher supported by the client (maybe from the
> cipher list advertised in the ClientHello). Is that the best way of
> implementing this?

No. You can add both the RSA certificate and the ECDSA certificate to
the same SSL_CTX. Just call one of the SSL_CTX_use_certificate*()
functions twice - once for each certificate type.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...