Comments (10)
Partially for the political reason that I find NIST-recommended ECC standards not entirely trustworthy after the Snowden revelations, but also technically because ECDSA standards are held to be more secure than anything higher than RSA-2048 and perform more quickly.
Despite not being in beta yet, this is already one of my favorite Let's Encrypt/ACME clients as far as usability and documentation, so I am curious what kind of a development roadmap you have in mind. I'm already looking forward to multiple domains support in the next alpha release.
from acmephp.
Many thanks to @jderusse, ECDSA certificates are now in AcmePHP 1.1 :) ! https://twitter.com/acme_php/status/1061228086073704448
from acmephp.
Hello @cmorgenstern,
It was not planned for now but could be if needed. Have you a reason to prefer ECDSA over RSA? Support for ECDSA will need a bit of work to understand how it works in Let's Encrypt.
from acmephp.
Thanks for the feedback, that's always appreciated!
I understand your point, I think this could be a nice feature to add to the client. However, it won't be critical for most people so I think this should be planned for 1.1.
The roadmap is actually quite simple: the only missing part for a first 1.0-beta1 (beta = feature freeze) is the handling of multiple domains (#20). Once that's done, the 1.0 stable should arrive quite quickly as features were tested along the way (we won't need a lot of betas IMO). When the 1.0 will be released, I'll start working on 1.1 which consist for the moment in the following issues: https://github.com/acmephp/acmephp/issues?q=is%3Aopen+is%3Aissue+milestone%3A1.1.
from acmephp.
@tgalopin correct me if I'm wrong please, but I think it's just a matter of adding EC keytype support in https://github.com/acmephp/ssl/blob/master/Generator/KeyPairGenerator.php#L36. I believe if an ECDSA key is passed to LE, it will give you back an appropriate certificate. I'm considering taking on this work, so any direction you can give is appreciated. Thanks!
from acmephp.
You may be right, I didn't dig too much on this topic.
It would be awesome of you to send a PR! Don't hesitate to reach me here or on the Symfony Slack (tgalopin on symfony.com/support) if you want to discuss about it, I'd be happy to help :) !
from acmephp.
I think it's just a matter of adding EC keytype support..
I use Kelunik's acme-client (a similar acme client in PHP, but with lots of amphp goodness), and its ECC support is also in the works. I put together a small PR at kelunik/acme#22 to add ECC support, and I can say that it indeed is a matter of generating the certificate. CSR should handle fine and there is no difference in the acme protocol for ECC certificates.
However, only PHP ^7.1
has ECC support.
from acmephp.
Thanks @Ayesh. The comment in the PHP docs says EC Keytype constant was added in 5.2.0. Maybe it wasn't implemented for openssl_pkey_new
until more recently? I was planning to add a check for the constant being defined and throwing an exception if it isn't supported.
http://php.net/manual/en/openssl.key-types.php
from acmephp.
Interesting find, I'm actually quite surprised OpenSSL 0.9 can handle EC! I should see myself.
I think we have to check the input. For example of the bit size is 2048, 3072 or 4096, we know it's an RSA key. A "bit size" parameter could also work for EC curve as well although it has a different meaning. We would need to validate it too, because not all curves are CA/B compliant not supported in LetsEncrypt (ed25519 for example is not supported so it should be an invalid input). Secp256r1 and secp384r1 are the only allowed curves as far I know.
from acmephp.
I'm not sure what all of this means but I think this would be a great addition to the project. If someone wants to start this work, please don't hesitate :) !
from acmephp.
Related Issues (20)
- Error During Renewal HOT 2
- website updates? HOT 1
- getResponseBodySummary(): Return value must be of type string, null returned HOT 1
- "OpenSSL signature could not be verified" on Centos 9 (and other updated SSL stacks)
- Format output for commands
- Feature Request: Customizable truncation char limit for RequestException Errors. HOT 2
- Is this project still maintained? HOT 2
- Short / Alternate chain in acme-php ? HOT 1
- Proposal for v3 HOT 10
- Single certificate renewal failure with run command
- Domain name character capitalisation leads to ChallengeNotSupportedException
- Retry on 503s with RetryAfter? HOT 1
- Upgrade PHP to V8 HOT 4
- Maintenance HOT 6
- Proposal: remove @author tags HOT 8
- Proposal: Make classes final & readonly
- Issue with using Symfony Serializer HOT 11
- Subtree does not work anymore? HOT 5
- Improve call examples HOT 4
- Wildcard Domain Authorization using DNS Solver not supported anymore?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acmephp.