AWS IoT custom domain ECDSA support

0

We configured a custom domain using this guide: https://docs.aws.amazon.com/iot/latest/developerguide/iot-custom-endpoints-configurable-custom.html

The domain is enabled and active.

The TLS handshake works with no cipher constraints, however when the cipher suites are constrained to ECDSA, the connection is dropped after client hello.

$ openssl s_client -cipher ECDSA -connect custom-domain-name:8883 -showcerts -servername custom-domain-name
CONNECTED(00000003)
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 284 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

Is ECDSA not supported? This is odd since it is one of the recommended cipher suites here: https://docs.aws.amazon.com/iot/latest/developerguide/transport-security.html

Bora
asked 2 years ago361 views
2 Answers
1
Accepted Answer

When setting up a custom domain you need to attach a server certificate to the endpoint which has either an ECDSA signature or an RSA signature. In practice this mean that you can either use an RSA cipher or an ECDSA cipher but not both for the same custom domain endpoint.

The standard endpoint, on the other hand, supports both ciphers.

AWS
EXPERT
answered 2 years ago
1

This should be noted in the docs at https://docs.aws.amazon.com/iot/latest/developerguide/iot-custom-endpoints-configurable-custom.html under "ACM-generated public certificates"

When using an ACM issued certificate this limits you to RSA, since ACM does not issue ECDSA certificates

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions