Hi, Does anybody know whether openssl s_client and s_server support the use of -dtls1 option while the server uses ECC key? The issuing CA and root CA use ECC keypair.
These are my openssl s_server and s_client options: openssl s_server -accept 12000 -cert server.pem -certform pem -key server_key.pem -keyform pem -CApath . -CAfile CAECCRoot.pem -dtls1 -cipher ALL -debug -msg -state openssl s_client -connect:10.8.122.106:12000 -CApath . -CAfile CAECCRoot.pem -dtls1 -cipher ALL -debug -msg -state When I attempted to do this, the s_client gives error: SSL3 alert write:fatal:decrypt error SSL_connect:error in SSLv3 read server key exchange B 5551756:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad signature:s3_clnt.c:1610 further down, I notice that the Verify return code: 0 (ok). I also use openssl verify to verify the server certificate using the issuing CA and root CA. The result agrees with the result shown by the s_client debug message. On the second note, I also try the s_server with RSA keypair, issued by the same issuing CA; the server certificate has RSA public key with signature algorithm is ecdsa-with-SHA256. In this scenario, the s_client was able to establish tls connection with the s-server. Does this mean that the openssl s_client and s_server does not support ECC keypair? Any pointer or idea how further troubleshoot this? Thanks, Erwin
