Hi, I’m trying to create a VPN using OpenVPN over OpenSSL encrypted with AES and using an elliptical curve DSA.
However I keep getting a “no shared cipher” error. The full error log is :- MULTI: multi_create_instance called Re-using SSL/TLS context Control Channel MTU parms [ L:1557 D:138 EF:38 EB:0 ET:0 EL:0 ] Data Channel MTU parms [ L:1557 D:1450 EF:57 EB:4 ET:0 EL:0 ] Local Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-server' Expected Remote Options String: 'V4,dev-type tun,link-mtu 1557,tun-mtu 1500,proto UDPv4,cipher AES-128-CBC,auth SHA1,keysize 128,key-method 2,tls-client' Local Options hash (VER=V4): 'b7f67de4' Expected Remote Options hash (VER=V4): '8326dbaa' TLS: Initial packet from xxx.xxx.xxx.xxx:3077, sid=1725da0c f1237109 TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher TLS Error: TLS object -> incoming plaintext read error TLS Error: TLS handshake failed SIGUSR1[soft,tls-error] received, client-instance restarting In order to use ECDSA I’m using the following commands to create the keys :- For CA :- openssl ecparam -name secp160k1 -out %HOME%\ecparameters openssl req -days 3650 -newkey ec:%HOME%\ecparameters -sha1 -nodes -x509 -keyout %KEY_DIR%\ca.key -out %KEY_DIR%\ca.crt -config %HOME%\openssl.cnf -verbose –text For SERVER :- openssl ecparam -name secp160k1 -out %HOME%\ecparameters openssl req -days 3650 -nodes -newkey ec:%HOME%\ecparameters -sha1 -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %HOME%\openssl.cnf -verbose openssl x509 -req -in %KEY_DIR%\server.csr -CA %KEY_DIR%\ca.crt -CAkey %KEY_DIR%\ca.key -extensions server -CAcreateserial -out %KEY_DIR%\server.crt -text -extfile %HOME%\openssl.cnf For CLIENT :- openssl ecparam -name secp160k1 -out %HOME%\ecparameters openssl req -days 3650 -nodes -newkey ec:%HOME%\ecparameters -sha1 -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.csr -config %HOME%\openssl.cnf -verbose openssl x509 -req -in %KEY_DIR%\%1.csr -out %KEY_DIR%\%1.crt -CA %KEY_DIR%\ca.crt -CAkey %KEY_DIR%\ca.key -extensions v3_req -extfile %HOME%\openssl.cnf –text In my client & server openssl.cnf files I’ve specified cipher AES-128-CBC If I generate the certificates using the standard installed batch files (ie not using ECDSA) I can connect no problem, so I’m guessing there must be something wrong with the commands to generate the certificates. I’ve tried several other ECPARAM curves but still get the error. Can anyone tell me what I’m doing wrong, or point me to some commands to get ECDSA working please. I’m using openssl version 1.0.0.d & OpenVPN version 2.2.0 on Windows XP Thanks
