The difference between ECDH-ECDSA-AES128-SHA256 and ECDHE-ECDSA-AES128-SHA256?

Question

I am using ECC certificate to observe how TLS works，Can someone helps me the difference between ECDH-ECDSA-AES128-SHA256 and ECDHE-ECDSA-AES128-SHA256.

When use ECDHE-ECDSA-AES128-SHA256,client and server works fine.

New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-SHA256

When use ECDH-ECDSA-AES128-SHA256 ,the SERVER_HELLO fails:

140344027961248:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:

Answer 1

The difference is the key exchange algorithm.

• ECDH - Elliptic Curve Diffie-Hellman Key Exchange
• ECDHE - ECDH in ephemeral mode

ECDH in static mode uses a long term ECDH key.

In ephemeral mode, a ECDH key pair is generated every time and then thrown away, so it's only used with the length of the ECDH key exchange.

Update:

The server is rejecting the ECDH version because it'b been configured to do so.

All SSL implementations allow user to setup what ciphers are allowed or not. In openssl we have a API like SSL_CTX_set_cipher_list to setup what ciphers are allowed or not. This is normally exposed through a application specific configuration.

There are a lot of web sites like this one that gives advice on what to set the cipher list too that gives the best security for that current situation now.

For information on cipher string see the openssl ciphers command.