On Tue, Mar 4, 2014 at 11:19 AM, Dr. Stephen Henson <st...@openssl.org> wrote: > On Tue, Mar 04, 2014, Jeffrey Walton wrote: > >> On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni >> <openssl-us...@dukhovni.org> wrote: >> > On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote: >> > >> >> I've got a server that can't negotiate a cipher suite with a client >> >> when using ECDSA certificates. When using ECDSA, the server reports >> >> 0x1408a0c1 (no shared cipher). >> > >> > Did you configure an EECDH (aka ECDHE) curve? With OpenSSL 1.0.[01], >> > the more common ECDSA cipher-suites use kEECDH key agreement. >> Yes. The server's preferred cipher list is: >> >> static const char PREFERRED_CIPHERS[] = >> "ECDHE-ECDSA-AES256-GCM-SHA384:" >> "ECDHE-ECDSA-AES128-GCM-SHA256:" >> "ECDHE-RSA-AES256-GCM-SHA384:" >> "ECDHE-RSA-AES128-GCM-SHA256:" >> "DHE-RSA-AES256-GCM-SHA384:" >> "DHE-RSA-AES128-GCM-SHA256:" >> "DHE-RSA-AES256-SHA:" >> "DHE-RSA-AES128-SHA:" >> "EDH-RSA-DES-CBC3-SHA:" >> "DH-RSA-DES-CBC3-SHA"; >> > > Silly question time . Viktor asked if you'd set an ECDHE curve and you > responded saying yes and a list of ciphersuites which by themselves don't > set a curve. > > So just to double check: you did set a temporary curve parameters using > something like SSL_CTX_set_tmp_ecdh?
This is in the server's context setup code: SSL_CTX_set_tmp_dh_callback(ctx, DH_callback); SSL_CTX_set_tmp_ecdh_callback(ctx, ECDH_callback); And: EC_KEY* ECDH_callback(SSL *ssl, int is_export, int keylength) { return ECDH256(); } Finally: static EC_KEY* ECDH256() { EC_KEY* key = EC_KEY_new_by_curve_name(NistCurveToNidByBits(256)); unsigned long err = ERR_get_error(); ... return key; } NistCurveToNidByBits(256) returns NID_X9_62_prime256v1. I also tried returning NID_secp256k1 with the same result. I'm setting up Wireshark now on another machine to get the trace. Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org