Just discovered the culprit. I had configured the server using TLSv1_server_method(), going from <http://www.openssl.org/docs/ssl/SSL_CTX_new.html> and assuming TLSv1 encompasses v1.{1,2}. Stumbled on this by chance by experimenting with forcing TLSv1.2 (of which the desired cipher suite is a part) and getting output about an incorrect version. Tried out SSLv23_server_method() and it worked, then (assuming the correct id by extrapolation) TLSv1_2_server_method() and everything works great. Some doc updates here would probably be welcome to the next guy.
k On Fri, Nov 9, 2012 at 7:44 PM, Dr. Stephen Henson <st...@openssl.org> wrote: > On Fri, Nov 09, 2012, Karel Sedl??ek wrote: > >> I was using secp521r1, but secp384r1 has the same behavior. Here is >> the output with -state: >> >> SSL_connect:error in SSLv2/v3 read server hello A >> 140735101956572:error:14077410:SSL >> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake >> failure:s23_clnt.c:741: > > Hmmm... without a server error message it isn't posible to be sure but I'd > guess it is complaining about no shared ciphers. That shouldn't happen unless > you've got some custom way of adding the necessary algorithms instead or > you've changed the default cipherstring. > > OK there are three components that might be failing, GCM, EECDH and SHA384. > I'd suggest seeing if you can connect with ciphersuites that don't use all of > them to see which part is causing the problem. For example: > > ECDHE-ECDSA-AES256-SHA > ECDHE-ECDSA-AES256-SHA384 > ECDH-ECDSA-AES256-GCM-SHA384 > > With the server ciphersring as the default in each case. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org