logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: supported ecdsa curves?
Author
mrdj1024



Joined: 03 Apr 2023
Posts: 75
Location: Bridgeton,NJ,USA
PostPosted: Thu 10 Jul '25 2:10    Post subject: supported ecdsa curves? Reply with quote
hi!
so i found a free self signed ssl cert generator and it gives options to generate edwards curves or brainpool curves but when i put my cert on my ssl conf file it says no supported curves
are we forced to use the p-256 curve?
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7442
Location: EU, Germany, Next to Hamburg
PostPosted: Thu 10 Jul '25 11:45    Post subject: Reply with quote
The used curves are not the cipher.

You can define the used curves via SSLOpenSSLConfCmd

e.g.
Code:

SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves secp521r1:secp384r1


or

for like SSL TR-03116-4 Apache config from Bundesamts für Sicherheit in der Informationstechnik (BSI)

Code:

SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:brainpoolP256r1
SSLOpenSSLConfCmd SignatureAlgorithms "ECDSA+SHA512:ECDSA+SHA384:ECDSA+SHA256:RSA+SHA512:RSA+SHA384:RSA+SHA256:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256"
Back to top
mrdj1024



Joined: 03 Apr 2023
Posts: 75
Location: Bridgeton,NJ,USA
PostPosted: Thu 10 Jul '25 12:45    Post subject: Reply with quote
thanks for the reply i get this message
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
using latest apache 2.4.63 from apachelounge on windows
heres whats in my file
------------------------------------------------------------
SSLProtocol -all +TLSv1.2 +TLSv1.3
SSLCompression Off
SSLProxyProtocol -all +TLSv1.2 +TLSv1.3
SSLOpenSSLConfCmd ECDHParameters secp521r1
SSLOpenSSLConfCmd Curves X25519:secp521r1:secp384r1:brainpoolP256r1
SSLOpenSSLConfCmd SignatureAlgorithms "ECDSA+SHA512:ECDSA+SHA384:ECDSA+SHA256:RSA+SHA512:RSA+SHA384:RSA+SHA256:rsa_pss_rsae_sha512:rsa_pss_rsae_sha384:rsa_pss_rsae_sha256"
----------------------------------------------------------
SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384
----------------------------------------------------------
im wanting to use all brainpool for my server so what do i need to do to make it secure?
EDIT: am using a brainpool256r1 key
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7442
Location: EU, Germany, Next to Hamburg
PostPosted: Tue 15 Jul '25 9:16    Post subject: Reply with quote
A fully working SSL config is available at https://github.com/JBlond/debian_build_apache24/blob/master/ssl-bsi-tr-03116-4.conf

If that doesn't work, you have to go into debugging using the LogLevel for the SSL module.


Code:
 <IfModule mod_ssl.c>
    ErrorLog /var/log/apache2/ssl_engine.log
    LogLevel debug
  </IfModule>


For more info, see http://wiki.apache.org/httpd/DebuggingSSLProblems

if you still have a question, please ask again.
Back to top


Reply to topic   Topic: supported ecdsa curves? View previous topic :: View next topic
Post new topic   Forum Index -> Apache