How to use RSA certificate and ECC certificate simutaneously

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

How to use RSA certificate and ECC certificate simutaneously

maoly527
How to use RSA certificate and ECC certificate simutaneously


Hi,

Dose anyone know how to use RSA and ECC certificate simultaneously in one server?

The idea is to install both RSA and ECC certificates, to use which certificate, I think it depends on the cipher requested by client.

And I know the cipher list is included in client hello message, but that's a part of handshake which happens in SSL_accept().

Then how I know the cipher request from client?

It would be very appreciated if anyone can help me.

Thanks,
Jane Mao 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use RSA certificate and ECC certificate simutaneously

Viktor Dukhovni
> On Nov 20, 2018, at 9:48 AM, maoly527 <[hidden email]> wrote:
>
> Does anyone know how to use RSA and ECC certificate simultaneously in one server?

You just configure two private keys and two certificate chains by calling:

  if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) {
        /* error */;
  }
  if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) {
       /* error */;
  }
  if (SSL_CTX_check_private_key(ctx) != 0) {
        /* error */;
  }

once for each "cert_file" and associated "key_file" (the same file often
holds both, in which case cert_file == key_file).  The SSL error stack
will contain error details.

The SSL library will automatically select the appropriate key and certificate
chain.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use RSA certificate and ECC certificate simutaneously

maoly527

Hi Viktor, Many thanks for your response.

We are using SSL_CTX_use_certificate() instead of SSL_CTX_use_certificate_chain_file(). Does it also support multiple certificate chains?
And as I know, OpenSSL 1.0.2 and later have a separate chain store for each type of certificate (RSA, ECC or DSA),
Is there any bad impact to call it multiple times for same type of certificate?

Best Regards,
Jane

At 2018-11-20 23:44:59, "Viktor Dukhovni" <[hidden email]> wrote: >> On Nov 20, 2018, at 9:48 AM, maoly527 <[hidden email]> wrote: >> >> Does anyone know how to use RSA and ECC certificate simultaneously in one server? > >You just configure two private keys and two certificate chains by calling: > > if (SSL_CTX_use_certificate_chain_file(ctx, cert_file) <= 0) { > /* error */; > } > if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) { > /* error */; > } > if (SSL_CTX_check_private_key(ctx) != 0) { > /* error */; > } > >once for each "cert_file" and associated "key_file" (the same file often >holds both, in which case cert_file == key_file). The SSL error stack >will contain error details. > >The SSL library will automatically select the appropriate key and certificate >chain. > >-- > Viktor. > >-- >openssl-users mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use RSA certificate and ECC certificate simutaneously

Viktor Dukhovni
> On Nov 21, 2018, at 3:11 AM, 毛 <[hidden email]> wrote:
>
> We are using SSL_CTX_use_certificate() instead of
> SSL_CTX_use_certificate_chain_file().

Do you then add chain certificates one by one?

> Does it also support multiple certificate chains?

I believe it will work correctly in 1.1.x, and perhaps in 1.0.2, but
it has been a while since I've looked at the details.  Check the
documentation and if necessary the source code.  If the documentation
fails to describe this adequately, please open an issue on Github.

> And as I know, OpenSSL 1.0.2 and later have a separate chain store for
> each type of certificate (RSA, ECC or DSA), Is there any bad impact to
> call it multiple times for same type of certificate?

No, but only the last key/cert loaded for a given algorithm will be
used, any previous setting will be replaced.  Make sure always load
both to avoid having a certificate that does not match the private key.

--
--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: How to use RSA certificate and ECC certificate simutaneously

maoly527
Hi Viktor,

>Do you then add chain certificates one by one?
Yes, and SSL_CTX_use_certificate() also works in multiple certificate types on 1.0.2. Many thanks, Jane

在 2018-11-22 01:24:06,"Viktor Dukhovni" <[hidden email]> 写道: >> On Nov 21, 2018, at 3:11 AM, 毛 <[hidden email]> wrote: >> >> We are using SSL_CTX_use_certificate() instead of >> SSL_CTX_use_certificate_chain_file(). > >Do you then add chain certificates one by one? > >> Does it also support multiple certificate chains? > >I believe it will work correctly in 1.1.x, and perhaps in 1.0.2, but >it has been a while since I've looked at the details. Check the >documentation and if necessary the source code. If the documentation >fails to describe this adequately, please open an issue on Github. > >> And as I know, OpenSSL 1.0.2 and later have a separate chain store for >> each type of certificate (RSA, ECC or DSA), Is there any bad impact to >> call it multiple times for same type of certificate? > >No, but only the last key/cert loaded for a given algorithm will be >used, any previous setting will be replaced. Make sure always load >both to avoid having a certificate that does not match the private key. > >-- >-- > Viktor. > >-- >openssl-users mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users