When I test my connection to my server:
echo q | openssl s_client -connect abc.def.com:8443
I get back (extract):
No client certificate CA names sent
Peer signing digest: SHA512.
Server Temp Key: ECDH, P-256, 256 bits
and
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384.
Server public key is 2048 bit
Can anyone tell me how to remove the Temp Key - I know almost nothing about security but guess having a temp key and / or one that is 256 bits (or that doesn't match the public key) is less than desirable.
I have tried to solve this, having found this:
&
but with no success.
To explain my lack of success with the second link ....
pemfile.pem contents (redacted!):
Bag Attributes
friendlyName: gateway-identity
localKeyID: 54 69 6D 65 20 31 35 36 38 30 32 37 34 38 35 37 30 37
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIE...
...
...
v4mZMVyvG63TmtJx6OtP0Zs=
-----END PRIVATE KEY-----
Bag Attributes
friendlyName: gateway-identity
localKeyID: 54 69 6D 65 20 31 35 36 38 30 32 37 34 38 35 37 30 37
subject=/C=US/ST=Test/L=Test/O=Hadoop/OU=Test/CN=abc.def.com
issuer=/C=US/ST=Test/L=Test/O=Hadoop/OU=Test/CN=abc.def.com
-----BEGIN CERTIFICATE-----
MIID...
...
...
6WLAiy7LML8p0Da1WKom6L2HqyFKg6qltqEO5x16LrV4
-----END CERTIFICATE-----
Deleting the certificate and it's preceding bag attributes causes an error when I execute:
openssl pkcs12 -export -in pemfile.pem -name gateway-identity -out new.p12
I get:
unable to load certificates
This makes sense to me.
Am I looking at this from the wrong angle? Is there some other way to disable / remove the temp key?
