On Fri, Nov 14, 2014, Fredrik Jansson wrote:
> Hi!
>
> Thanks!
>
> I am using 1.0.2b3 on both server and client, and I have the call to
> SSL_CTX_set_ecdh_auto, but still no luck.
>
> The exact code is as follows:
>
> 358 void initialize(TLSSettings const& settings) {
> 359 ctx_ = SSL_CTX_new(TLSv1_2_server_method());
> 360 if (!ctx_) {
> 361 throw std::runtime_error(OpenSSLSup::currentError());
> 362 }
> 363
> 364 static const unsigned char context[] = "WVPN-TLS";
> 365
> 366 if (!SSL_CTX_set_session_id_context(ctx_, context,
> sizeof(context))) {
> 367 debug.LogE(Debug::System, "Failed to set session ID
> context, session resume will fail");
> 368 }
> 369
> 370 auto serverCert =
> OpenSSLSup::loadPKCS12(settings.certificate(),
> settings.certPassword());
> 371
> 372 debug.Log(Debug::System, "Server certificate '%s' (%s)",
> 373 OpenSSLSup::commonName(serverCert.cert.get()).c_str(),
> 374 settings.certificate().c_str());
> 375
> 376 SSL_CTX_set_info_callback(ctx_, ssl_info_cb);
> 377
> 378 if (!SSL_CTX_use_certificate(ctx_, serverCert.cert.get())) {
> 379 debug.LogE(Debug::System, "Failed to set server
> certificate: %s",
> 380 OpenSSLSup::currentError().c_str());
> 381 throw std::runtime_error("Failed to create context");
> 382 }
> 383
> 384 if (!SSL_CTX_use_PrivateKey(ctx_, serverCert.privateKey.get())) {
> 385 debug.LogE(Debug::System, "Failed to set server
> private key: %s",
> 386 OpenSSLSup::currentError().c_str());
> 387 throw std::runtime_error("Failed to create context");
> 388 }
> 389
> 390 auto vfy = SSL_VERIFY_CLIENT_ONCE | SSL_VERIFY_PEER;
> 391 if(settings.requireClientCert()) {
> 392 vfy |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
> 393 }
> 394
> 395 SSL_CTX_set_verify(ctx_, vfy, nullptr);
> 396 SSL_CTX_set_ecdh_auto(ctx_, 1);
> 397
> 398 std::string ciphers;
> 399
> 400 ciphers = "SUITEB128";
> 401
> 402 if (!ciphers.empty()) {
> 403 if (SSL_CTX_set_cipher_list(ctx_, ciphers.c_str())) {
> 404 debug.Log(Debug::System, "Successfully set ciphers
> %s", ciphers.c_str());
> 405 }
> 406 else {
> 407 debug.LogE(Debug::System, "Failed to set ciphers %s, %s",
> 408 ciphers.c_str(),
> 409 OpenSSLSup::currentError().c_str());
> 410 throw std::runtime_error("Failed to create context");
> 411 }
> 412 }
> 413
> 414 SSL_CTX_set_options(ctx_, SSL_OP_NO_TICKET);
> 415 SSL_CTX_set_session_cache_mode(ctx_, SSL_SESS_CACHE_BOTH);
> 416 SSL_CTX_sess_set_remove_cb(ctx_, ssl_remove_session_cb);
> 417 CertStore::setStoreInCTX(ctx_);
> 418 }
>
>
> Warm regards,
> Fredrik
>
What algorithms are used by the server certificate and chain? They all have to
be ECDSA and P-384 and P-256. Signing a certificate which carries a P-384 key
with a P-256 key is also illegal.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
