Cryptography Reference
In-Depth Information
[jdavies@localhost ssl]$ gnutls-serv -p 8443 --x509fmtder --x509certfile cert.der \
--x509keyfile key.der --protocols TLS1.2
GnuTLS doesn't have an option to supply a password-protected key fi le, so
you have to remove password protection from the key fi le if you've enabled it
as is shown in Chapter 7. At the time of this writing, version 2.8.6 is also not
quite RFC 5246 compliant, either; it's compliant to an earlier, draft specifi cation.
The most glaring difference is that it uses SHA-1 instead of SHA-256 to compute
the PRF and the fi nalize data. This may be corrected by the time you read this,
so you may want to double-check and see if this has been addressed yet. Even
with TLS 1.2 support, it doesn't yet support any AEAD or ECC cipher suites.
OpenSSL 1.0.0 does support ECC, but only in the context of TLS 1.0. It doesn't
yet even support TLS 1.1. To run an ECDHE-ECDSA-capable OpenSSL server,
you must have an ECDSA certifi cate as discussed previously, and then run:
[jdavies@localhost openssl-1.0.0]$ apps/openssl s_server -tls1 -cipher \
ECDHE-ECDSA-AES128-SHA -cert ecdsacert.pem -key ecdsakey.pem -accept 8443
If you want to test the code in the previous section against this server, though,
you need to fi rst ensure that everything else is TLS 1.0 compliant.
Search WWH ::
Custom Search