On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni
<openssl-us...@dukhovni.org> wrote:
> On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote:
>
>> I've got a server that can't negotiate a cipher suite with a client
>> when using ECDSA certificates. When using ECDSA, the server reports
>> 0x1408a0c1 (no shared cipher).
>
> Did you configure an EECDH (aka ECDHE) curve? With OpenSSL 1.0.[01],
> the more common ECDSA cipher-suites use kEECDH key agreement.
Yes. The server's preferred cipher list is:
static const char PREFERRED_CIPHERS[] =
"ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-ECDSA-AES128-GCM-SHA256:"
"ECDHE-RSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES128-GCM-SHA256:"
"DHE-RSA-AES256-GCM-SHA384:"
"DHE-RSA-AES128-GCM-SHA256:"
"DHE-RSA-AES256-SHA:"
"DHE-RSA-AES128-SHA:"
"EDH-RSA-DES-CBC3-SHA:"
"DH-RSA-DES-CBC3-SHA";
>> When testing under RSA, the ECDH callback is successfully inovked.
>> When testing under ECDSA, the ECDH callback is never invoked.
>
> What is in the (non-extended) keyUsage extension of the certificate?
> IIRC with EC, if the keyUsage extension is present, the certificate
> needs to be marked usable for keyAgreement. From ssl/ssl_lib.c:
>
> ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
> (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1;
>
> and right below that:
>
> ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ?
> (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1;
>
> so you need at least both of digitalSignature and keyAgreement:
>
> https://www.openssl.org/docs/apps/x509v3_config.html#Key_Usage_
>
> or don't include the extension at all.
The server's Key Usage is Digital Signature, Key Encipherment, Key
Agreement. Non of them are critical.
Extended Key Usage is not specified. Its not present in the certifcate
(as opposed to present but empty).
Let me try adding a EKU of serverAuth to see if that helps.
Jeff
According to RFC 5280:
4.2.1.12. Extended Key Usage
This extension indicates one or more purposes
for which the certified public key may be used,
in addition to or in place of the basic purposes
indicated in the key usage extension...
...
If the extension is present, then the certificate
MUST only be used for one of the purposes
indicated.
I avoided EKU because I've seen some Java clients reject a server's
cert due to differences between KU and EKU. Since EKU only offers
serverAuth, it can cause problems in key transport schemes.
But the really odd thing is RSA and DSA are OK. Its odd that ECDSA is
the only cert type causing my head aches.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
