On Tue, Mar 4, 2014 at 10:03 AM, Jeffrey Walton <[email protected]> wrote: > On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni > <[email protected]> wrote: >> On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote: >>... >> What is in the (non-extended) keyUsage extension of the certificate? >> IIRC with EC, if the keyUsage extension is present, the certificate >> needs to be marked usable for keyAgreement. From ssl/ssl_lib.c: >> >> ecdh_ok = (x->ex_flags & EXFLAG_KUSAGE) ? >> (x->ex_kusage & X509v3_KU_KEY_AGREEMENT) : 1; >> >> and right below that: >> >> ecdsa_ok = (x->ex_flags & EXFLAG_KUSAGE) ? >> (x->ex_kusage & X509v3_KU_DIGITAL_SIGNATURE) : 1; >> >> so you need at least both of digitalSignature and keyAgreement: >> >> https://www.openssl.org/docs/apps/x509v3_config.html#Key_Usage_ >> >> or don't include the extension at all. > The server's Key Usage is Digital Signature, Key Encipherment, Key > Agreement. Non of them are critical. > > Extended Key Usage is not specified. Its not present in the certifcate > (as opposed to present but empty). > > Let me try adding a EKU of serverAuth to see if that helps. The certifcate now includes EKU of "TLS Web Server Authentication." But still no joy.
Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
