Hi Erwin, Thanks for the report. I found the bug and submitted a patch (#2628). You can also download it from our website at http://sctp.fh-muenster.de/dtls-patches.html and it would be very helpful if you can confirm that the patch fixes your issue.
Robin On Oct 12, 2011, at 11:33 PM, Erwin Himawan wrote: > Hi, > > Does anybody know whether openssl s_client and s_server support the use of > -dtls1 option while the server uses ECC key? > The issuing CA and root CA use ECC keypair. > > These are my openssl s_server and s_client options: > openssl s_server -accept 12000 -cert server.pem -certform pem -key > server_key.pem -keyform pem -CApath . -CAfile CAECCRoot.pem -dtls1 -cipher > ALL -debug -msg -state > openssl s_client -connect:10.8.122.106:12000 -CApath . -CAfile CAECCRoot.pem > -dtls1 -cipher ALL -debug -msg -state > > When I attempted to do this, the s_client gives error: > > SSL3 alert write:fatal:decrypt error > SSL_connect:error in SSLv3 read server key exchange B > 5551756:error:1408D07B:SSL routines:SSL3_GET_KEY_EXCHANGE:bad > signature:s3_clnt.c:1610 > > further down, I notice that the Verify return code: 0 (ok). > > I also use openssl verify to verify the server certificate using the issuing > CA and root CA. The result agrees with the result shown by the s_client debug > message. > > On the second note, I also try the s_server with RSA keypair, issued by the > same issuing CA; the server certificate has RSA public key with signature > algorithm is ecdsa-with-SHA256. > In this scenario, the s_client was able to establish tls connection with the > s-server. > > Does this mean that the openssl s_client and s_server does not support ECC > keypair? > > Any pointer or idea how further troubleshoot this? > > Thanks, > Erwin ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
