I can use a RACF certificate as a server certificate (in LDAP etc) with no problems.
If I make the size bigger it stops working.   Is this supported ( or do I just need to tweak my definitions)

RACDCERT ID(START1) GENCERT -
SUBJECTSDN(CN('SERVEREC') -
O('ADCD') -
OU('TEST')) -
ALTNAME(IP(10.1.1.2)) -
SIZE(256) -
NISTECC -
SIGNWITH (CERTAUTH LABEL('COLIN-CA')) -
KEYUSAGE(HANDSHAKE ,KEYAGREE) -
NOTAFTER( DATE(2024-12-29))-
WITHLABEL('SERVEREC')

works fine

If I use

size(521)

it does not work, and I the following in the GSKTRACE

INFO edit_ciphers(): Using server certificate 'SERVEREC'
INFO crypto_ec_get_cached_public_key(): Using EC public key cache entry 201619B8
ENTRY gsk_factor_public_key(): --->
EXIT gsk_factor_public_key(): <--- Exit status 0x00000000 (0)
ENTRY gsk_get_ec_parameters_info(): ---> keyInfo size 12
EXIT gsk_get_ec_parameters_info(): <--- Exit status 0x00000000 (0) EC curve type 34, key size 521
INFO edit_ciphers(): Server certificate ec curve 0034 not in supported ecurve tls extension. EC cipher suites disabled
INFO edit_ciphers(): Initial SSL V3 4-character cipher specs:
INFO edit_ciphers(): C02CC02BC030C02FC024C023130313011302
INFO edit_ciphers(): SSL V3 EC cipher C02C skipped because EC ciphers unavailable
INFO edit_ciphers(): SSL V3 EC cipher C02B skipped because EC ciphers unavailable
INFO edit_ciphers(): SSL V3 cipher C030 skipped due to key algorithm
INFO edit_ciphers(): SSL V3 cipher C02F skipped due to key algorithm
INFO edit_ciphers(): SSL V3 EC cipher C024 skipped because EC ciphers unavailable
INFO edit_ciphers(): SSL V3 EC cipher C023 skipped because EC ciphers unavailable
INFO edit_ciphers(): SSL V3 cipher 1303 skipped for TLS V1.2 sessions
INFO edit_ciphers(): SSL V3 cipher 1301 skipped for TLS V1.2 sessions
INFO edit_ciphers(): SSL V3 cipher 1302 skipped for TLS V1.2 sessions
ERROR edit_ciphers(): No SSL V3 cipher specs enabled for TLS V1.0 + TLS V1.2
ERROR edit_ciphers(): No SSL V3 cipher specs enabled for TLS V1.0 + TLS V1.2
ERROR send_v3_alert(): Sent SSL V3 alert 40 to 10.1.0.2[38738]
INFO gsk_write_v3_record(): Calling write routine for 7 bytes
INFO gsk_write_v3_record(): 7 bytes written
ERROR gsk_secure_socket_init(): SSL V3 server handshake failed with 10.1.0.2[38738]

Colin

------------------------------
Colin Paice
------------------------------

It looks like it is not supported by all browsers.

When chrome  (which fails) sends up it's client handshake, the supported groups has
Supported Groups (4 groups)
- Supported Group: Reserved (GREASE) (0x2a2a)
- Supported Group: x25519 (0x001d)
- Supported Group: secp256r1 (0x0017)
- Supported Group: secp384r1 (0x0018)

which is missing 0019 ( 34)

Firefox (works)  had
Supported Groups (6 groups)
Supported Group: x25519 (0x001d)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
Supported Group: secp521r1 (0x0019)
Supported Group: ffdhe2048 (0x0100)
Supported Group: ffdhe3072 (0x0101)


If I use a Java based application I get
Supported Groups (10 groups)
Supported Group: x25519 (0x001d)
Supported Group: secp256r1 (0x0017)
Supported Group: secp384r1 (0x0018)
Supported Group: secp521r1 (0x0019)
Supported Group: x448 (0x001e)
Supported Group: ffdhe2048 (0x0100)
Supported Group: ffdhe3072 (0x0101)
Supported Group: ffdhe4096 (0x0102)
Supported Group: ffdhe6144 (0x0103)
Supported Group: ffdhe8192 (0x0104)

------------------------------
Colin Paice
------------------------------

Original Message:
Sent: Thu November 18, 2021 12:53 PM
From: Colin Paice
Subject: Is RACF certificate defined with NISTECC SIZE(521) recommended?

I can use a RACF certificate as a server certificate (in LDAP etc) with no problems.
If I make the size bigger it stops working.   Is this supported ( or do I just need to tweak my definitions)

RACDCERT ID(START1) GENCERT -
SUBJECTSDN(CN('SERVEREC') -
O('ADCD') -
OU('TEST')) -
ALTNAME(IP(10.1.1.2)) -
SIZE(256) -
NISTECC -
SIGNWITH (CERTAUTH LABEL('COLIN-CA')) -
KEYUSAGE(HANDSHAKE ,KEYAGREE) -
NOTAFTER( DATE(2024-12-29))-
WITHLABEL('SERVEREC')

works fine

If I use

size(521)

it does not work, and I the following in the GSKTRACE

INFO edit_ciphers(): Using server certificate 'SERVEREC'
INFO crypto_ec_get_cached_public_key(): Using EC public key cache entry 201619B8
ENTRY gsk_factor_public_key(): --->
EXIT gsk_factor_public_key(): <--- Exit status 0x00000000 (0)
ENTRY gsk_get_ec_parameters_info(): ---> keyInfo size 12
EXIT gsk_get_ec_parameters_info(): <--- Exit status 0x00000000 (0) EC curve type 34, key size 521
INFO edit_ciphers(): Server certificate ec curve 0034 not in supported ecurve tls extension. EC cipher suites disabled
INFO edit_ciphers(): Initial SSL V3 4-character cipher specs:
INFO edit_ciphers(): C02CC02BC030C02FC024C023130313011302
INFO edit_ciphers(): SSL V3 EC cipher C02C skipped because EC ciphers unavailable
INFO edit_ciphers(): SSL V3 EC cipher C02B skipped because EC ciphers unavailable
INFO edit_ciphers(): SSL V3 cipher C030 skipped due to key algorithm
INFO edit_ciphers(): SSL V3 cipher C02F skipped due to key algorithm
INFO edit_ciphers(): SSL V3 EC cipher C024 skipped because EC ciphers unavailable
INFO edit_ciphers(): SSL V3 EC cipher C023 skipped because EC ciphers unavailable
INFO edit_ciphers(): SSL V3 cipher 1303 skipped for TLS V1.2 sessions
INFO edit_ciphers(): SSL V3 cipher 1301 skipped for TLS V1.2 sessions
INFO edit_ciphers(): SSL V3 cipher 1302 skipped for TLS V1.2 sessions
ERROR edit_ciphers(): No SSL V3 cipher specs enabled for TLS V1.0 + TLS V1.2
ERROR edit_ciphers(): No SSL V3 cipher specs enabled for TLS V1.0 + TLS V1.2
ERROR send_v3_alert(): Sent SSL V3 alert 40 to 10.1.0.2[38738]
INFO gsk_write_v3_record(): Calling write routine for 7 bytes
INFO gsk_write_v3_record(): 7 bytes written
ERROR gsk_secure_socket_init(): SSL V3 server handshake failed with 10.1.0.2[38738]

Colin

------------------------------
Colin Paice
------------------------------