Re: sslv3 alert handshake failure

Wed, 18 Oct 2006 03:28:49 -0700

Hi,
 
Like to clarify one point, am I right to say the peer (client) we are referring to here is the browser?
I'm using Firefox 2 Beta 1 which I know has ECC support. I had performed a test at tls.secg.org to verify this.
 
Another point I'm puzzled is that the openssl ciphersuites shown only ciphers with SSLv3 protocol when I execute openssl cipher -v ECCdraft. But I thought openssl 0.9.8b already provide support for TLSv1 too, so why don't I see any ciphers with TLSv1 protocol? Or have I misunderstood the readme file in 0.9.8b?
An interesting point to note was when I performed the test at tls.secg.org, the handshake version used was TLSv1.
 
Many thanks!
Marek Marcola <[EMAIL PROTECTED]> wrote:
Hello,
>
> And when I tried with
> openssl s_server -cipher ECCdraft -cert ecc.crt -key ecc.key -www
> the errors I get:
> Loading 'screen' into random state - done
> Using default temp DH parameters
> Using default temp ECDH parameters
> ACCEPT
> 1132:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake
> failure:.
> \ssl\s3_pkt.c:1057:SSL alert number 40
> 1132:error:140780E5:SSL routines:SSL23_READ:ssl handshake
> failure:.\ssl\s23_lib.
> c:142:
> ACCEPT
> accept error 10004
>
> Does that mean my ecc cert has some issues?
> I've generate them using these commands:
> 1)openssl ecparam -genkey -name secp160r1 -out ecc.pem
> 2)openssl req -new -key ecc.pem -out ecc.csr
> 3)openssl ec -in ecc.pem -out ecc.key
> 4)openssl x509 -in ecc.csr -out ecc.crt -req -signkey ecc.key -days 7
>
> Anything suspicious?
This procedure seems to work when connecting with:
$ openssl s_client -cipher ECCdraft
but in your situation you get from peer (client) alert message 40
which means that client was not able to negotiate an acceptable
set of security services. In this situation this probably means
that client does not support certificates with ECC parameters.
This should be checked.

Best regards,
--
Marek Marcola <[EMAIL PROTECTED]>

______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]

What will the world find in 2020?
Leave a part of your 2006 in the Yahoo! Time Capsule. Contribute now!

Reply via email to