Serving ecdsa private key with net/http

[Dex Wood]

I was experimenting with self-signed keys. I generated an elliptic curve key, and tried to use it with ListenAndServerTLS, and the http package panics when you use the certificate and private key pair:

http: panic serving 192.168.1.5:49165: interface conversion: interface is *ecdsa.PrivateKey, not *rsa.PrivateKey

goroutine 11 [running]:

net/http.func·006()

/home/dex/go/src/pkg/net/http/server.go:799 +0xac

crypto/tls.(*ecdheRSAKeyAgreement).generateServerKeyExchange(0xc200156080, 0xc2000e3000, 0xc2000b5690, 0xc2000b9870, 0xc20012c800, ...)

/home/dex/go/src/pkg/crypto/tls/key_agreement.go:154 +0x4d7

crypto/tls.(*serverHandshakeState).doFullHandshake(0x7f855af21d80, 0x7f855af21d00, 0x0)

/home/dex/go/src/pkg/crypto/tls/handshake_server.go:307 +0x41a

crypto/tls.(*Conn).serverHandshake(0xc2000e5280, 0x0, 0x0)

/home/dex/go/src/pkg/crypto/tls/handshake_server.go:80 +0x20e

crypto/tls.(*Conn).Handshake(0xc2000e5280, 0x0, 0x0)

/home/dex/go/src/pkg/crypto/tls/conn.go:844 +0xec

net/http.(*conn).serve(0xc20012c780)

/home/dex/go/src/pkg/net/http/server.go:814 +0x1c8

created by net/http.(*Server).Serve

/home/dex/go/src/pkg/net/http/server.go:1338 +0x266

I used the following openssl commands to generate the key and certificate:

openssl ecparam -out key.pem -name prime256v1 -genkey

openssl req -new -key key.pem -out server.csr

openssl x509 -req -days 365 -in server.csr -signkey key.pem -out server.crt

Is this because net/http's TLS functionality only supports RSA?

I am currently at version

go version devel +131f8c8eb722 Wed Mar 06 16:52:03 2013 -0800 linux/amd64

[agl]

On Friday, March 8, 2013 1:12:20 PM UTC-5, Dex Wood wrote:

Is this because net/http's TLS functionality only supports RSA?

Yes.

It's not that far away from being able to support ECDSA, but the code isn't there yet.

Cheers

AGL 

[Dave Cheney]

Should there be a bug raise for this feature ?

> --
> You received this message because you are subscribed to the Google Groups
> "golang-nuts" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to golang-nuts...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>

[jfcg...@gmail.com]

Hi,

I am trying the following Go example on windows 7 with Chrome 30 and Go 1.2rc3-amd64 using unencrypted Elliptic Curve keys :

import (
	"log"
	"net/http"
)

func handler(w http.ResponseWriter, req *http.Request) {
	w.Header().Set("Content-Type", "text/plain")
	w.Write([]byte("This is an example server.\n"))
}

func main() {
	http.HandleFunc("/", handler)
	log.Printf("About to listen on 10443. Go to https://127.0.0.1:10443/")
	err := http.ListenAndServeTLS(":10443", "cert.pem", "key.pem", nil)
	if err != nil {
		log.Fatal(err)
	}
}

I get the following error:

Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

How can I get a debug message ? What were the lists of TLS/cipher versions that Chrome and the server couldnt agree on? Is there any other policy of Chrome/windows that prevents EC keys. I was able to use RSA keys and it worked !

Was anyone able to use EC keys with Go 1.2rc3 on windows 7 & Chrome ?

Note : I tried the following to create my keys (OpenSSL 1.0.1e and GnuTLS 3.2.6):

certtool.exe -p --outfile key.pem --ecc

certtool.exe -s --load-privkey key.pem --hash sha1 --outfile cert.pem --pkcs-cipher aes-128 (tried without aes-128 option as well)

openssl ecparam -name secp224r1 -out ecpar.pem

openssl req -nodes -x509 -days 1234 -newkey ec:ecpar.pem -keyout key.pem -out cert.pem

Thanks !..

[a...@google.com]

On Saturday, November 9, 2013 4:41:29 AM UTC-5, jfcg...@gmail.com wrote:

openssl ecparam -name secp224r1 -out ecpar.pem

openssl req -nodes -x509 -days 1234 -newkey ec:ecpar.pem -keyout key.pem -out cert.pem

I'm a little surprised that P-224 even loaded, but P-256 is the minimum curve supported by browsers.

Cheers

AGL