Apache2 – SSL with ECC Configuration

apache-2.2mod-sslSecurity

Is it possible to configure Apache2 to use elliptic curve crypto (ecc) with SSL? This bug https://issues.apache.org/bugzilla/show_bug.cgi?id=40132 appears (to me) to indicate that this is supported, but I can't find any instructions anywhere.

Best Answer

Apache supports ECC Certificates and Protocols as of version 2.2.26. Though if you are using an Apache server from a distro's repository it may be the same version. Ubuntu for example added support in version 2.2.22-1ubuntu1.9.

If you have a version that supports ECC certificates, it should be enabled by default. Assuming you're using OpenSSL, the commands to generate an ECC key and CSR are:

ECC P-256 Key:

openssl ecparam -out server.key -name prime256v1 -genkey

ECC CSR:

openssl req -new -key server.key -out server.csr

The installation steps for ECC certs in Apache are identical to RSA. You'd still specify the public key entry, private key entry, and the relevant intermediates. Just double check that your CA supports the issuance of ECC certificates. You can double check ECC compatibility to address any concerns with connecting clients.

Related Solutions

Debian Apache2 SSL Issues – Error code: ssl_error_rx_record_too_long

I forgot to enable the ssl mod.. still new at this linux/apache stuff. this command did the trick:

sudo a2enmod ssl

Ssl – apache2 SSL Diffie Hellman key sizes

From what I was able to deduce, GNUtls uses the same size for DH as is the size of RSA key in certificate. So, if the key is 2048bit, it will automatically generate and use 2048bit DH key exchange parameters.

The downside of mod_gnutls is that its version in lenny and wheezy doesn't support secure renegotiation.

Best Answer

Related Solutions

Debian Apache2 SSL Issues – Error code: ssl_error_rx_record_too_long

Ssl – apache2 SSL Diffie Hellman key sizes

Related Topic