TLS Ciphers with RSA Certificates signed by ECDSA PKIs

If you've configured a web server with an RSA certificate signed by an ECDSA Certificate Authority, then you may get errors from your browsers like:

ERR_SSL_PROTOCOL_ERROR (Chrome)
SSL_ERROR_HANDSHAKE_FAILURE_ALERT (Firefox)

If this web server works perfectly fine with an RSA certificate signed by an RSA-based PKI, then it is likely your web server is configured with invalid TLS Ciphers for these ECDSA-signed certificates. Looking at RFC 4492, we can see the requirements of the certificates in section 5.3 mandate that any ECDH/ECDHE algorithms must have specific requirements met for the signing CA or the keys of the server certificate:

          Key Exchange Algorithm  Server Certificate Type
          ----------------------  -----------------------

          ECDH_ECDSA              Certificate MUST contain an
                                  ECDH-capable public key.  It
                                  MUST be signed with ECDSA.

          ECDHE_ECDSA             Certificate MUST contain an
                                  ECDSA-capable public key.  It
                                  MUST be signed with ECDSA.

          ECDH_RSA                Certificate MUST contain an
                                  ECDH-capable public key.  It
                                  MUST be signed with RSA.

          ECDHE_RSA               Certificate MUST contain an
                                  RSA public key authorized for
                                  use in digital signatures.  It
                                  MUST be signed with RSA.

So ciphers like these would be invalid:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

You'll need to reconfigure your web server to use alternative valid ciphers, such as:

  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_GCM_SHA384

If you're uncertain about what TLS ciphers to use, OWASP provide a good reference for what ciphers you should be using. You'll need to evaluate your requirements against the user base that will be connecting to your services, as Internet-facing services can have vastly different requirements to large Enterprise networks with legacy systems in use.

Timothy Quinn

Timothy Quinn

Managing Director of Congruent Labs