pfSense

known bugs in lighttpd - fixed in 1.4.29

see http://www.lighttpd.net/2011/7/3/1-4-29

some ecc-test-certificates are available at SECG's ECC/TLS test server

from /var/log/lighttpd.error.log

2011-xx-xx xx:xx:xx: (connections.c.299) SSL: 1 error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher 

no connection possible
will provide a sample for selftest

I think lighty need it enable in config and presently we do not enable sslv3.

gen

openssl ecparam -name secp521r1 -genkey -out key.pem

openssl req -new -key key.pem -out req.pem

 openssl req -x509 -in req.pem -key key.pem -out selfigned.pem

uploading key + selfsigned breaks GUI

maybe we want to "block" uploading the following curves until working

openssl ecparam -list_curves

"quick+dirty-fix"

openssl x509 -noout -text -in selfigned.pem  | grep 'Signature Algorithm:'

… the proper way should be by OID but for now i'm going to bed ;)

maybe testing using the php-function "openssl_pkey_get_details" and checking for return-level could sanitize uploading unsupported certificates?

<?php
$keyFile = openssl_pkey_get_public(file_get_contents('./myfile.pem'));
$keyData = openssl_pkey_get_details($keyFile);

print $keyData['bits'] ;
print $keyData['key'] ;
print $keyData['type'] ;
?>

types are
0: RSA
1: DSA
2: DH
3: EC
-1: unknown

permitting use of valid and "supported" certificates and rejecting others as "unsupported" or "unknown" might help until implemented.