The signature in the ServerKeyExchange is created with wrong parameters with ECC keys, because the TLS header length is used instead of the DTLS header length.
Thanks to Erwin Himawan for providing hints! Best regards Robin --- ssl/d1_srvr.c 5 Sep 2011 10:25:21 -0000 1.20.2.21 +++ ssl/d1_srvr.c 20 Oct 2011 09:20:35 -0000 @@ -1271,7 +1271,7 @@ EVP_SignInit_ex(&md_ctx,EVP_ecdsa(), NULL); EVP_SignUpdate(&md_ctx,&(s->s3->client_random[0]),SSL3_RANDOM_SIZE); EVP_SignUpdate(&md_ctx,&(s->s3->server_random[0]),SSL3_RANDOM_SIZE); - EVP_SignUpdate(&md_ctx,&(d[4]),n); + EVP_SignUpdate(&md_ctx,&(d[DTLS1_HM_HEADER_LENGTH]),n); if (!EVP_SignFinal(&md_ctx,&(p[2]), (unsigned int *)&i,pkey)) {
dtls-ecc-key-bug-1.0.0.patch
Description: Binary data
dtls-ecc-key-bug-1.0.1.patch
Description: Binary data