Support For ECDSA In OpenSSL?
Does the version of OpenSSL on CentOS 6.5 support ECDSA keypairs?
How do I test if this works? (though I should probably ask this on the OpenSSL list)
The reason I suspect a problem is that HIPL for CentOS
(http://infrahip.hiit.fi/) is not creating the ECDSA Host Identity, whereas my Fedora installation IS creating the ECDSA HI.
2 thoughts on - Support For ECDSA In OpenSSL?
Harald, I thank you for this insight. It seems when I hit a truly knotty issue you come through with the pointers to get me going in the right direction.
This is not OpenSSH, but HIP for Linux.
The HIPL binaries for CentOS were compiled on a 6.5 system with all current updates. Or so the developer told me :)
Is there some switch that is needed?
Interesting and so sad. I did a lot of review of drafts for rfc6090
with Dr. McGrew; more on style than math (“David, I don’t understand what you are trying to say here.” ;) ). Plus look at the errata pages;
cfrg is talking about issuing a new rfc to include all the errata.
The supposed inside story is that NSA got really upset that their licensing of the patents was not getting them COTS products, as sales to DoD is a small portion for these vendors. So Kevin joined David as co-author.
This is mission critical. We can live with RSA for the pilot, but MUST
be on ECDSA for launch. Since my day job is a major RedHat customer, I
can have someone from that side of the company do a bug submission against RH6 to get this addressed.
I checked with the HIPL developer and got:
>HIPL checks during ./configure if ECC is missing from OpenSSL and disables all ECC code if it is unuvailable.
So I am checking more into this. What is ./configure actually doing to check if ECC is present or not? Was there something wrong with my install, and I need to install again? That is is there a test I can do directly against my OpenSSL to determine if NOW I have ECC and did not have something right at that time?
thanks all for any help