Does the version of OpenSSL on Centos 6.5 support ECDSA keypairs?
How do I test if this works? (though I should probably ask this on the OpenSSL list)
The reason I suspect a problem is that HIPL for Centos (http://infrahip.hiit.fi/) is not creating the ECDSA Host Identity, whereas my Fedora installation IS creating the ECDSA HI.
From: Robert Moskowitz rgm@htt-consult.com
Does the version of OpenSSL on Centos 6.5 support ECDSA keypairs?
Google finds:
"ECDSA Support in OpenSSL Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which uses Elliptic Curve Cryptography (ECC). Note that only the nistp256 and nistp384 curves are supported."
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/...
JD
On Fri, 25 Apr 2014, Robert Moskowitz wrote:
Does the version of OpenSSL on Centos 6.5 support ECDSA keypairs?
On CentOS 6.5, OpenSSL does but SSH does not.
How do I test if this works? (though I should probably ask this on the OpenSSL list)
On a CentOS 6.5 box, asking for an ECDSA key fails:
[centos-6.5]$ ssh-keygen -f zzz -t ecdsa unknown key type ecdsa
On a Debian jessie box, it succeeds:
[debian]$ ssh-keygen -f zzz -t ecdsa Generating public/private ecdsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in zzz. Your public key has been saved in zzz.pub.
If I scp the newly created zzz key to a CentOS box, its openssl binary can understand it:
[centos-6.5]$ openssl ec -in zzz read EC key writing EC key -----BEGIN EC PRIVATE KEY----- ... -----END EC PRIVATE KEY-----
That's the best test I know.
On 04/25/2014 12:13 PM, Paul Heinlein wrote:
On Fri, 25 Apr 2014, Robert Moskowitz wrote:
Does the version of OpenSSL on Centos 6.5 support ECDSA keypairs?
On CentOS 6.5, OpenSSL does but SSH does not.
How do I test if this works? (though I should probably ask this on the OpenSSL list)
On a CentOS 6.5 box, asking for an ECDSA key fails:
[centos-6.5]$ ssh-keygen -f zzz -t ecdsa unknown key type ecdsa
And that is a ssh way of testing for ecdsa support.
It looks like ecdsa IS there and something is wrong with my setup. I tried creating a new ecdsa Host Identity:
# hipconf daemon new hi pub ecdsa hip_host_ecdsa_key_pub Using hostname: oqo1.htt-consult.com Using format ecdsa and file hip_host_ecdsa_key_pub dirname=. mode=755 Saving ECDSA keys to: pub='hip_host_ecdsa_key_pub.pub' priv='hip_host_ecdsa_key_pub' Key saved.
It looks like it did work. But when I went to use it:
# hipconf daemon add hi pub ecdsa hip_host_ecdsa_key_pub Using hostname: oqo1.htt-consult.com Using format ecdsa and file hip_host_ecdsa_key_pub Could not open private key file /etc/hip/hip_host_ecdsa_key_anon for reading Loading of the ECDSA key failed
there is a problem. It should not be trying to read an anon file.
Bottom line. Looks like ecdsa is in OpenSSL for Centos 6.5 and that the HIPL build is using it. Just something wrong on my install.
Sorry for the noise.
-
John Doe -
Paul Heinlein -
Robert Moskowitz