AWS IoT custom domain ECDSA support

Question

We configured a custom domain using this guide: https://docs.aws.amazon.com/iot/latest/developerguide/iot-custom-endpoints-configurable-custom.html

The domain is enabled and active.

The TLS handshake works with no cipher constraints, however when the cipher suites are constrained to ECDSA, the connection is dropped after client hello.

```
$ openssl s_client -cipher ECDSA -connect custom-domain-name:8883 -showcerts -servername custom-domain-name
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 284 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
```

Is ECDSA not supported? This is odd since it is one of the recommended cipher suites here: https://docs.aws.amazon.com/iot/latest/developerguide/transport-security.html

Accepted Answer

When setting up a custom domain you need to attach a server certificate to the endpoint which has either an ECDSA signature or an RSA signature. 
In practice this mean that you can either use an RSA cipher or an ECDSA cipher but not both for the same custom domain endpoint.

The standard endpoint, on the other hand, supports both ciphers.

Answer

This should be noted in the docs at https://docs.aws.amazon.com/iot/latest/developerguide/iot-custom-endpoints-configurable-custom.html under "ACM-generated public certificates"

When using an ACM issued certificate this limits you to RSA, since ACM does not issue ECDSA certificates

AWS IoT custom domain ECDSA support

Relevant content