Hi Steve, Thanks for your response. I'm just trying to figure out what it takes to get this working - are you of the opinion that an SSL server should not support TLS 1.2 ECDH-RSA cipher suites? Could you also mention why?
I configured my openssl RSA CA to add the key usage extension for key agreement to the ECC certificate but even then it does not work. Pre-TLS 1.2 cipher suites such as ECDH-RSA-AES128-SHA work fine but just not the TLS 1.2 cipher suites with AESGCM. Thanks Abhi -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, November 01, 2012 4:40 AM To: openssl-users@openssl.org Subject: Re: ECDH-RSA and TLS 1.2 On Thu, Nov 01, 2012, Abhiram Shandilya wrote: > I ran openssl s_server with an ECC certificate signed by an RSA Root CA. When > I try to connect using s_client and a TLS 1.2 ECDH-RSA cipher suite (eg > ECDH-RSA-AES128-SHA256 or ECDH-RSA-AES128-GCM-SHA256), the connection fails > with s_server printing the following error: "3086918464:error:1408A0C1:SSL > routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1353:". Can someone > please tell me why this doesn't work? Here are the commands I used: > > Starting s_server: > openssl s_server -accept 4433 -key ./key.pem -cert cert.pem > > Connecting with s_client: > openssl s_client -connect localhost:4433 -cipher > ECDH-RSA-AES128-SHA256 > You probably don't want ECDH-RSA-AES128-SHA256 as it is a fixed ECDH ciphersuite (if you do you need to use an appropriate curve in the EE certificate and include key agreement in the key usage extension, if present). You should try ECDHE-ECDSA-AES128-SHA256 which uses ephemeral ECDH. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
