Using ECDHE TLS with Boost ASIO

Question

The TL;DR version

I'd like to know:

• Where does the specification for the use of ECDHE get defined (in a cert parameter or a server configuration of SSL contexts, or elsewhere)?
• In a non-home-rolled certificate setup, who's responsibility is it to define the ECDHE public and private information (the end user or cert provider)?
• Can an existing Certificate which does not appear to use ECDHE be made to without causing issues with the Certificate?
• Are there any examples of someone using SSL in Boost::ASIO with an ECDHE setup?

The Longer Version

We've been building an application which is using a proper-paid-for certificate from an external Cert Authority. The application uses a home-rolled server setup based off of Boost ASIO and Boost Beast, and we only recently noticed it doesn't play nice with iOS - ASIO says there is no shared cipher.

Reading into how TLS works has led me to the fact that some part of our server was preventing us from serving TLS using the ECDHE-* suite of ciphers (which iOS seems to want) - but I'm having difficulty in figuring out how to wrangle ASIO and our current cert/key into serving ECDHE.

What I've tried:

• Using the same cert and key, adding in the results of openssl dhparam into ASIO using set_tmp_dh, then specifying ciphers. Curl reports that this allows a connection using DHE but not ECDHE. Specifying ciphers that only use ECDHE causes errors when connecting.
• Trying to pass the output of openssl ecparam to ASIO using a similar method to the above. I've not been able to format something that ASIO accepts.
• Trying to see if there is a way you can use the output of openssl ecparam with another combining function to modify the original cert into one that uses ECDHE. I clued onto this one from the OpenSSL wiki suggesting that if the cert does not contain the line ASN1 OID: prime256v1 (or a similar named curve), then it is not suitable for ECDHE usage.

At this point I'm unsure as to where the issue truly lies (in ASIO, in the certificates or in how I'm putting it all together) and most of the information on the internet I can find relates to home-rolling everything from scratch, rather than working with existing certs.

Answer 1

Update 11/05/19

https://github.com/chriskohlhoff/asio/pull/117 pulled in changes for ASIO with ECDHE. Will need to wait a while to see which Boost lib version it makes it into.

Original Answer

I seem to have found an answer for any googlers - ASIO does not appear to support ECDHE natively at the time of writing. This issue from the main repo suggests that ECDHE is on the cards for support but is not yet implemented.

Answer 2

Here is a link to the ECDHE implementation that's been waiting to be merged since 2016: https://github.com/chriskohlhoff/asio/pull/117.

+1 to get the attention of the Boost ASIO maintainer; he's been pretty slow with it.