Project

General

Profile

[Solved] Does Lighttpd support ECDSA and RSA certificates at the same time (for the same host)? (=> No)

Added by leszek 3 months ago

I am trying to use two types of certificates (ECDSA and RSA) at the same time for the same host.
I couldn't find documentation pertaining to such setup, only one hint to concatenate both certificates with respective chains to single PEM file and use it in config directive "ssl.pemfile".
In such setup Lighttpd uses first certificate in PEM file (ECDSA in my case) and does not suppert RSA requests. SSLLabs SSLtest shows for TLS 1.2 only support for ECDHE-ECDSA types ciphers and no ECDHE-RSA although configured as folloowing:

ssl.openssl.ssl-conf-cmd += ("CipherString" => "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305")

lighttpd/1.4.76 (Alpine Linux)

Can I use both ECDSA and RSA certs in such setup?


Replies (3)

RE: Does Lighttpd support ECDSA and RSA certificates at the same time (for the same host)? - Added by gstrauss 3 months ago

First, why bother? This may have been more useful many years ago when clients were transitioning to support elliptic curves, but why do you need to support both now/today?

It might be possible with lighttpd mod_openssl, with a custom config in ssl.openssl.ssl-conf-cmd. As I recall, openssl supports both certificate types at the same time if the certifiate chains are properly constructed. I am not sure whether or not any changes would be needed for this to work in lighttpd.

RE: Does Lighttpd support ECDSA and RSA certificates at the same time (for the same host)? - Added by leszek 3 months ago

Thank you for the answer.
You are probably right that there is no point at the moment. I was wondering for completness sake as Postfix and Dovecot do support dual cert config using openssl.
You answer also prompted me to have a look at mod_openssl source, and from what I gather it sets both chains supported by openssl (SSL_set0_chain and SSL_set1_chain) to the same pemfile - so probably without changing lighttpd and mod_openssl - dual cert setup for the same host will not work.

RE: Does Lighttpd support ECDSA and RSA certificates at the same time (for the same host)? - Added by gstrauss 3 months ago

I was wondering for completness sake

Maybe focus on security instead?
Odds are good at this point that any client which does not support ECDSA is out-of-date, unmaintained, and contains known security issues.

    (1-3/3)