On Tue, Mar 04, 2014, Jeffrey Walton wrote: > On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni > <openssl-us...@dukhovni.org> wrote: > > On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote: > > > >> I've got a server that can't negotiate a cipher suite with a client > >> when using ECDSA certificates. When using ECDSA, the server reports > >> 0x1408a0c1 (no shared cipher). > > > > Did you configure an EECDH (aka ECDHE) curve? With OpenSSL 1.0.[01], > > the more common ECDSA cipher-suites use kEECDH key agreement. > Yes. The server's preferred cipher list is: > > static const char PREFERRED_CIPHERS[] = > "ECDHE-ECDSA-AES256-GCM-SHA384:" > "ECDHE-ECDSA-AES128-GCM-SHA256:" > "ECDHE-RSA-AES256-GCM-SHA384:" > "ECDHE-RSA-AES128-GCM-SHA256:" > "DHE-RSA-AES256-GCM-SHA384:" > "DHE-RSA-AES128-GCM-SHA256:" > "DHE-RSA-AES256-SHA:" > "DHE-RSA-AES128-SHA:" > "EDH-RSA-DES-CBC3-SHA:" > "DH-RSA-DES-CBC3-SHA"; >
Silly question time . Viktor asked if you'd set an ECDHE curve and you responded saying yes and a list of ciphersuites which by themselves don't set a curve. So just to double check: you did set a temporary curve parameters using something like SSL_CTX_set_tmp_ecdh? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org