Thank you for your reply.
If I understand correctly, by specifying the 'nocert' option
when starting s_server, I am limiting the cipher suites to those
without certificates.  Otherwise I need to create a certificate 
and cipher suites that require certificates won't work.
 
Does open ssl support the TLS_ECDH_anon .. cipher suites?

Last question. (for now..and thank you)
How can a generate an elliptic curve certificate?

I tried a few things unsuccessfully to make a certificate, 
so some tips would really be appreciated.

Thank you, 
 Mike






--- On Sat, 8/22/09, Dr. Stephen Henson <st...@openssl.org> wrote:

> From: Dr. Stephen Henson <st...@openssl.org>
> Subject: Re: ECDHE help needed, please
> To: openssl-users@openssl.org
> Date: Saturday, August 22, 2009, 1:19 PM
> On Sat, Aug 22, 2009, Michael D
> wrote:
> 
> > 
> > I am testing a custom TLS client I am writing for a
> night class. 
> > I would like to use openssl s_server for the testbed,
> if that is possible.
> > 
> > I am running openssl-1.0.0-stable-SNAP-20090821
> > 
> > * I am running the command as follows:
> > openssl s_server -nocert 
> > 
> > It starts by saying:
> > Using default temp DH parameters
> > Using default temp ECDH parameters
> > ACCEPT
> > 
> > * My client sends a client hello.  I have openssl
> dump the server cipher
> > list and the list I sent.
> > Ming are shown as below:
> > 0x81f8390:ECDHE-ECDSA-AES128-SHA
> > 0x81f83c0:ECDHE-ECDSA-AES256-SHA
> > 0x81f83f0:ECDH-RSA-NULL-SHA
> > 0x81f8420:ECDH-RSA-RC4-SHA
> > 
> > I end up with an error:
> > 3085114028:error:1408A0C1:SSL
> routines:SSL3_GET_CLIENT_HELLO:no shared
> cipher:s3_srvr.c:1138:
> > 
> > I see my cipher in the list!  What am I doing
> wrong please.
> > 
> > This is getting a tiny bit frustrating.  Any help
> would be appreciated.
> > 
> 
> Those ciphersuites all require a certificate. If the client
> uses OpenSSl you
> have to explicitly enable anonymous ciphersuites using an
> appropriate cipher
> string for example "aNULL". If the client doesn't use
> OpenSSL then it may not
> support anonymous ciphersuites at all.
> 
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project           
>                
>      http://www.openssl.org
> User Support Mailing List         
>           openssl-users@openssl.org
> Automated List Manager         
>              
>    majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to