On 04/25/2014 08:07 AM, Reindl Harald wrote:
Am 25.04.2014 13:57, schrieb Robert Moskowitz:
Does the version of OpenSSL on Centos 6.5 support ECDSA keypairs?
How do I test if this works? (though I should probably ask this on the OpenSSL list)
The reason I suspect a problem is that HIPL for Centos (http://infrahip.hiit.fi/) is not creating the ECDSA Host Identity, whereas my Fedora installation IS creating the ECDSA HI
the OpenSSL version does (one of the news in 6.5) but sadly OpenSSH was not rebuilt against the new OpenSSL so no, currently no ECDSA before RHEL7-Beta1
Harald, I thank you for this insight. It seems when I hit a truly knotty issue you come through with the pointers to get me going in the right direction.
This is not OpenSSH, but HIP for Linux.
The HIPL binaries for Centos were compiled on a 6.5 system with all current updates. Or so the developer told me :)
Is there some switch that is needed?
here you go for the history https://bugzilla.redhat.com/show_bug.cgi?id=319901#c108
Interesting and so sad. I did a lot of review of drafts for rfc6090 with Dr. McGrew; more on style than math ("David, I don't understand what you are trying to say here." ;) ). Plus look at the errata pages; cfrg is talking about issuing a new rfc to include all the errata.
The supposed inside story is that NSA got really upset that their licensing of the patents was not getting them COTS products, as sales to DoD is a small portion for these vendors. So Kevin joined David as co-author.
This is mission critical. We can live with RSA for the pilot, but MUST be on ECDSA for launch. Since my day job is a major RedHat customer, I can have someone from that side of the company do a bug submission against RH6 to get this addressed.
On 04/25/2014 08:53 AM, Robert Moskowitz wrote:
On 04/25/2014 08:07 AM, Reindl Harald wrote:
Am 25.04.2014 13:57, schrieb Robert Moskowitz:
Does the version of OpenSSL on Centos 6.5 support ECDSA keypairs?
How do I test if this works? (though I should probably ask this on the OpenSSL list)
The reason I suspect a problem is that HIPL for Centos (http://infrahip.hiit.fi/) is not creating the ECDSA Host Identity, whereas my Fedora installation IS creating the ECDSA HI
the OpenSSL version does (one of the news in 6.5) but sadly OpenSSH was not rebuilt against the new OpenSSL so no, currently no ECDSA before RHEL7-Beta1
This is not OpenSSH, but HIP for Linux.
The HIPL binaries for Centos were compiled on a 6.5 system with all current updates. Or so the developer told me :)
Is there some switch that is needed?
I checked with the HIPL developer and got:
HIPL checks during ./configure if ECC is missing from OpenSSL and
disables all ECC code if it is unuvailable.
So I am checking more into this. What is ./configure actually doing to check if ECC is present or not? Was there something wrong with my install, and I need to install again? That is is there a test I can do directly against my OpenSSL to determine if NOW I have ECC and did not have something right at that time?
thanks all for any help
-
Robert Moskowitz