On Tue, Mar 04, 2014, Viktor Dukhovni wrote: > On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote: > > > I've got a server that can't negotiate a cipher suite with a client > > when using ECDSA certificates. When using ECDSA, the server reports > > 0x1408a0c1 (no shared cipher). > > Did you configure an EECDH (aka ECDHE) curve? With OpenSSL 1.0.[01], > the more common ECDSA cipher-suites use kEECDH key agreement. > > > When testing under RSA, the ECDH callback is successfully inovked. > > When testing under ECDSA, the ECDH callback is never invoked. > > What is in the (non-extended) keyUsage extension of the certificate? > IIRC with EC, if the keyUsage extension is present, the certificate > needs to be marked usable for keyAgreement. From ssl/ssl_lib.c: > > ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ? > (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; > > and right below that: > > ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? > (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; > > so you need at least both of digitalSignature and keyAgreement: > > https://www.openssl.org/docs/apps/x509v3_config.html#Key_Usage_ > > or don't include the extension at all. >
Well the two should act as a filter for ciphersuites the server will accept. If digital signature is set any ciphersuites which uses the certificate for signing is permissible: which is normally the ephemeral ones. Additionally an EC temporary curve needs to be set as you point out. If key agreement is set the less common ciphersuites which use the server certificate for ECDH are permitted too. If key usage is absent then both can be used. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
