SSLConfig with ECC

Question

Question

Ruiyan Yu · May 14, 2021

Hello everyone,
I can choose between RSA and DSA. ECC seems to be unsupported.
Is there any workarounds without using external binary like curl?

Best regards
RY

Product version: Caché 2018.1

Discussion (5)0

Log in or sign up to continue

Katherine Reid May 17, 2021 to Ruiyan Yu

There isn't support for EC keys in Cache. If you haven't already, you could ask for an enhancement to add support in IRIS. That's a long term solution though. For now, the only solutions I can think of are workarounds like your CPIPE and cURL method or stunnel around %Net.Httprequest.

1 0

score 0 · Answer 1 · 2021-05-14T12:11:10-04:00

In most cases, it’s enough to just create empty certificate with just default values.

how do you use it?

score 0 · Answer 2 · 2021-05-14T12:41:12-04:00

Hi,

The api endpoint (https://api.domain/service) is only accessible with a provided certificate and ecc key.
i would like to use the %Net.HttpRequest class with SSLConfiguration

my quick test with curl under windows
curl -v --location --request POST --key provided.pem --cert provided.pem --header "Accept: application/pdf" --header "Content-Type: application/json" --data @payload.json https://api.domain/service

Best regards
RY

score 0 · Answer 3 · 2021-05-15T22:20:09-04:00

Most of the time what you could do is keep it or create it empty with default values.

All what matters is how you are going to use it. Do you have any idea on how you are intending to use it?

Regards.

score 0 · Answer 4 · 2021-05-16T10:12:42-04:00

Hi,

I want to access the api endpoint using the %Net.HttpRequest class and its SSLConfiguration property.

The provided credentials authenticate me as a valid user to make api requests.

Some endpoints are using RSA keys and they work as expected. But this particular endpoint uses a 256bit ecc key and there is no option to choose it.

How can I do it in Cache like i did with cURL? Currently I am using CPIPE and cURL as workaround.

Best regards
RY

//EDIT Saved as DSA..... debug output
error:10092010:elliptic curve routines:d2i_ECPrivateKey:EC lib
05/16/21-15:57:51:622 (2148) 0
error:100DE08E:elliptic curve routines:OLD_EC_PRIV_DECODE:decode error
05/16/21-15:57:51:622 (2148) 0
error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
05/16/21-15:57:51:622 (2148) 0
error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
05/16/21-15:57:51:622 (2148) 0
error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error
05/16/21-15:57:51:622 (2148) 0
error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
05/16/21-15:57:51:623 (2148) 0
error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib
05/16/21-15:57:51:623 (2148) 0
TPXMIT saw TCP device fail
05/16/21-15:57:58:014 (5052) 0 REDEBUG: new netdebugflags FF