Hi, first of all please accept my apologizes, I know this is a question more related to OpenVPN, but I think that the problem lies in the cert authority and client/server certificate generation step with OpenSSL, so I'm also posting it here, hoping for a solution.
I'm trying to make an OpenVPN setup with Elliptic Curves cryptography and SHA-512 on Linux Debian. This seems to be very hard, I didn't find any howto on the web :( if and when I will manage to get the whole thing up and running I will write a detailed howto, so any help is appreciated! As a premise: yes, I've recompiled OpenVPN using the latest OpenSSL version (see below). My suspect is that I made some mistake in the certificate generation process but I can't find it. I also posted this issue at https://forums.openvpn.net/topic8404.html but there I included a lot of information more strictly related to my OpenVPN configuration, I will include here just the steps I used to setup the PKI with OpenSSL. Here is what I did: 1) downloaded OpenSSL 1.0.0, configured and installed in /usr/local/openssl (to avoid removing the already installed openssl 0.9.8 which looks like it's a crucial packet for everything on my system) with: ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- I am calling the new openssl version with the "openssl-new" alias 2) created a CA: ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- openssl-new ecparam -out private/cakey_temp.pem -name sect571k1 -text -genkey openssl-new ec -in private/cakey_temp.pem -out private/cakey.pem -aes256 wipe -f private/cakey_temp.pem openssl-new req -new -x509 -out cacert.pem -key private/cakey.pem -days 36500 -sha512 -extensions v3_ca openssl-new x509 -text -in cacert.pem ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- with the last command I read: Signature Algorithm: ecdsa-with-SHA512 3) created a server key and certification request: ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- openssl-new req -nodes -sha512 -newkey ec:cacert.pem -new -days 36500 -out req.pem chmod 600 privkey.pem mv privkey.pem private/serverkey.pem openssl-new req -in req.pem -text -verify -noout ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- again, I read: Signature Algorithm: ecdsa-with-SHA512 4) modified openssl.cnf accordingly and signed the request with the CA: ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- openssl-new ca -config openssl.cnf -policy policy_anything -out servercert.pem -md sha512 -cert cacert.pem -keyfile private/cakey.pem -infiles req.pem rm req.pem ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- 5) created a client key and certification request: ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- openssl-new req -nodes -sha512 -newkey ec:cacert.pem -new -days 36500 -out req.pem chmod 600 privkey.pem mv privkey.pem private/clientkey.pem ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- 6) signed the request with the CA: ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- openssl-new ca -config openssl.cnf -policy policy_anything -out clientcert.pem -md sha512 -cert cacert.pem -keyfile private/cakey.pem -infiles req.pem ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- (I later moved client files in ~/.ssl ) 7) created both ECDH and DH (for testing) parameters: ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- openssl-new ecparam -out ecdh.pem -name sect571k1 openssl-new dhparam -out dh.pem 4096 ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- My OpenVPN configuration does not work, I receive this error in the logs: ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- TLS_ERROR: BIO read tls_read_plaintext error: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher ----8<--------8<--------8<--------8<--------8<--------8<--------8<---- but, as I said, this is more related to OpenVPN and it is detailed in the forum post I linked above. What I'd like to know from more experienced OpenSSL users here is: did I perform correctly steps 1)...7)? Please help, I'm really in need of this ._. I will write a complete and detailed howto as a small compensation for the community! Thanks in advance ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
