Buy commercial curl support. We
help you work out your issues, debug your libcurl applications, use the API,
port to new platforms, add new features and more. With a team lead by the
curl founder Daniel himself.
Re: Unable to exchange encryption keys
- Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]
From: Jeffrey Walton via curl-users <curl-users_at_lists.haxx.se>
Date: Wed, 26 Nov 2025 10:54:26 -0500
On Wed, Nov 26, 2025 at 10:34 AM Werner Stolz <wstolz_at_investcloud.com> wrote:
>
> Yes, I am aware that we should not be using DSS keys. We must use them to accommodate some of our data partners.
In case the folks you are working with were not aware... Digital
Signature Standard (DSS) approves three algorithms for signing. The
first is old RSA. The original DSS proposal did not include RSA. RSA
Data Security, Inc did a lot of lobbying to get RSA included in the
DSS.
The second is DSA. This is a signing scheme over integers. DSA is
what most people think of when someone says signing with DSS. This is
the algorithm to avoid. FIPS 186-5 (from 2023) removed DSA, so
partners cannot use FIPS as a crutch.
The third is ECDSA. This is a signing scheme over elliptic curves.
This is the algorithm from DSS that you want partners to use.
> Your link show exactly what we have been doing when we drive the SFTP command line tool for file transfers, but I was under the impression that
> using the “-k” / “—insecure” option for curl does the same thing.
>
> Historically, it has, with our previous version of curl, but somehow it is broken with this version.
Jeff
Date: Wed, 26 Nov 2025 10:54:26 -0500
On Wed, Nov 26, 2025 at 10:34 AM Werner Stolz <wstolz_at_investcloud.com> wrote:
>
> Yes, I am aware that we should not be using DSS keys. We must use them to accommodate some of our data partners.
In case the folks you are working with were not aware... Digital
Signature Standard (DSS) approves three algorithms for signing. The
first is old RSA. The original DSS proposal did not include RSA. RSA
Data Security, Inc did a lot of lobbying to get RSA included in the
DSS.
The second is DSA. This is a signing scheme over integers. DSA is
what most people think of when someone says signing with DSS. This is
the algorithm to avoid. FIPS 186-5 (from 2023) removed DSA, so
partners cannot use FIPS as a crutch.
The third is ECDSA. This is a signing scheme over elliptic curves.
This is the algorithm from DSS that you want partners to use.
> Your link show exactly what we have been doing when we drive the SFTP command line tool for file transfers, but I was under the impression that
> using the “-k” / “—insecure” option for curl does the same thing.
>
> Historically, it has, with our previous version of curl, but somehow it is broken with this version.
Jeff
-- Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users Etiquette: https://curl.se/mail/etiquette.htmlReceived on 2025-11-26