From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 30FF4138A1F for ; Sat, 19 Apr 2014 11:52:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 74F2AE0AF6; Sat, 19 Apr 2014 11:52:41 +0000 (UTC) Received: from mail-wi0-f176.google.com (mail-wi0-f176.google.com [209.85.212.176]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4546EE0AC8 for ; Sat, 19 Apr 2014 11:52:39 +0000 (UTC) Received: by mail-wi0-f176.google.com with SMTP id r20so373575wiv.15 for ; Sat, 19 Apr 2014 04:52:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:reply-to:to:subject:date:user-agent:references:in-reply-to :mime-version:content-type:content-transfer-encoding:message-id; bh=6TTgQV2MDpCFBYklJWte5g6QeAI+kPsB5h8+vJyvbEs=; b=ILf2vEuzrTuJ1DTMz01tQxIsfxS7ZFiDUd115Wz8NehRiZ0A7jkhi/vvaijZ9daHDt 7Q8mID4Eq14FHBx/PiyR9bgqSsRgEqkLEEyQWB3LXrX+D3ZWC/I7VhOqOKtqZBcfbEfH AQhBVwmBW+OzibKejLEco6rfwBy04wU0yXrpk9uo7NrjGfThme1h94aBeycA+51A8PNb XDzD7SgyNTqSSUHvkH9sIXxGmGHzbTkZw+Oq0NNKPLfEDzhEk7bVjzjco+yoH6DAQWiA dW+aOfwYZ+o/bvluRX632/k2GuX4fNtGXTMj/6kNorh0XB0phEtdbvBTIofvWqpU6ZVc Gs/g== X-Received: by 10.180.19.69 with SMTP id c5mr6379299wie.7.1397908358695; Sat, 19 Apr 2014 04:52:38 -0700 (PDT) Received: from dell_xps.localnet (230.3.169.217.in-addr.arpa. [217.169.3.230]) by mx.google.com with ESMTPSA id y20sm3282838wiv.14.2014.04.19.04.52.36 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 19 Apr 2014 04:52:37 -0700 (PDT) From: Mick To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Heartbleed fix - question re: replacing self-signed certs with real ones Date: Sat, 19 Apr 2014 12:51:53 +0100 User-Agent: KMail/1.13.7 (Linux/3.12.13-gentoo; KDE/4.11.5; x86_64; ; ) References: <20140417184325.GA22082@lyseo.edu.ouka.fi> In-Reply-To: <20140417184325.GA22082@lyseo.edu.ouka.fi> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1613935.tKW05btj6K"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201404191252.20412.michaelkintzios@gmail.com> X-Archives-Salt: 83862861-3018-4815-8d4f-d1e448c707ea X-Archives-Hash: a756c9f94647db38af26cbcfacc7dc10 --nextPart1613935.tKW05btj6K Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Thursday 17 Apr 2014 19:43:25 Matti Nykyri wrote: > On Thu, Apr 17, 2014 at 04:49:45PM +0100, Mick wrote: > > Can you please share how you create ECDHE_ECDSA with openssl ecparam, or > > ping a URL if that is more convenient? >=20 > Select curve for ECDSA: > openssl ecparam -out ec_param.pem -name secp521r1 [snip ...] > I don't know much about the secp521r1 curve or about its security. [snip ...] It seems that many sites that use ECDHE with various CA signature algorithm= s=20 (ECC as well as conventional symmetric) use the secp521r1 curve - aka P-256= =2E =20 I just checked and gmail/google accounts use it too. Markus showed secp384r1 (P-384) in his example. The thing is guys that both of these are shown as 'unsafe' in the=20 http://safecurves.cr.yp.to tables and are of course specified by NIST and N= SA. Thank you both for your replies. I need to read a bit more into all this=20 before I settle on a curve. =2D-=20 Regards, Mick --nextPart1613935.tKW05btj6K Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAABAgAGBQJTUmN0AAoJELAdA+zwE4YekpMIALwUbSQpVBZRp1Y/12BZgbcn bSKZtSuhC6pdwirHeJiFvIHYYR+O7/9asvLX4Hy2nXQKDvQMhUvhEQrfZfvv3ikw Hj2wsBa1JnG8Ri5EDQ6JYEO5mzpX4ehln/yTA5qG74GPSNdOQvrz+UQOuS9xRFO/ XEqWHIQ9wd1VFPD/NSTAlGhOyVURBsYesBhE/TWfnX+emwtEXHr/YwbHn1ieykM/ cXKSfpIbh9Jnp2QJA5At3a3An22JC7ONl7EC8loU6AYRX24EiNPMWnp81zx8rDnm hryN5Ie/bSAko2V9ond86IYgVZwwNWYs4xSyVCJ6BPuvDEmTdQ+IDQystTScNPg= =/6iD -----END PGP SIGNATURE----- --nextPart1613935.tKW05btj6K--