On Tue, Mar 4, 2014 at 11:46 AM, Dr. Stephen Henson <st...@openssl.org> wrote: > On Tue, Mar 04, 2014, Jeffrey Walton wrote: > >> On Tue, Mar 4, 2014 at 11:19 AM, Dr. Stephen Henson <st...@openssl.org> >> wrote: >> > On Tue, Mar 04, 2014, Jeffrey Walton wrote: >> > >> >> On Tue, Mar 4, 2014 at 9:02 AM, Viktor Dukhovni >> >> <openssl-us...@dukhovni.org> wrote: >> >> > On Tue, Mar 04, 2014 at 06:35:13AM -0500, Jeffrey Walton wrote: >> >> > >> >> >> I've got a server that can't negotiate a cipher suite with a client >> >> >> when using ECDSA certificates. When using ECDSA, the server reports >> >> >> 0x1408a0c1 (no shared cipher). >> >> > >> >> > Did you configure an EECDH (aka ECDHE) curve? With OpenSSL 1.0.[01], >> >> > the more common ECDSA cipher-suites use kEECDH key agreement. >> >> Yes. The server's preferred cipher list is: >> >> >> >> static const char PREFERRED_CIPHERS[] = >> >> "ECDHE-ECDSA-AES256-GCM-SHA384:" >> >> "ECDHE-ECDSA-AES128-GCM-SHA256:" >> >> "ECDHE-RSA-AES256-GCM-SHA384:" >> >> "ECDHE-RSA-AES128-GCM-SHA256:" >> >> "DHE-RSA-AES256-GCM-SHA384:" >> >> "DHE-RSA-AES128-GCM-SHA256:" >> >> "DHE-RSA-AES256-SHA:" >> >> "DHE-RSA-AES128-SHA:" >> >> "EDH-RSA-DES-CBC3-SHA:" >> >> "DH-RSA-DES-CBC3-SHA"; >> >> >> > >> > Silly question time . Viktor asked if you'd set an ECDHE curve and you >> > responded saying yes and a list of ciphersuites which by themselves don't >> > set a curve. >> > >> > So just to double check: you did set a temporary curve parameters using >> > something like SSL_CTX_set_tmp_ecdh? >> >> This is in the server's context setup code: >> >> SSL_CTX_set_tmp_dh_callback(ctx, DH_callback); >> SSL_CTX_set_tmp_ecdh_callback(ctx, ECDH_callback); >> >> And: >> >> ... > > Can you check to see if ECDH_callback is being called at all? I suspect it > isn't. There's actually a debug logging line in ECDH_callback. Its not being called when using the ECDSA cert. (And it is being called when RSA cert is used).
Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org