I actually got a bit further with a secp256r1 server certificate, I also changed the server certificate version from 1 to 3.
Now I get: Info 2014-Nov-17 15:03:18.625733 All.TLSVerbose ssl_info_cb: write:fatal:certificate unknown Info 2014-Nov-17 15:03:18.625759 All.TLSVerbose ssl_info_cb: SSL_accept: error in SSLv3 read client certificate B (8577) Info 2014-Nov-17 15:03:18.625763 All.TLS Accept failed with verification error: Suite B: invalid signature algorithm Error 2014-Nov-17 15:03:18.625777 All.TLS Accept failed with error:14089086:SSL routines:ssl3_get_client_certificate:certificate verify failed The signature of the client cert is ecdsa-with-SHA256 and the curve for its key is prime256v1. All the best, Fredrik openssl x509 -noout -text -in frja-cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: 3 (0x3) Signature Algorithm: ecdsa-with-SHA256 Issuer: C=SE, ST=Stockholm, O=AB, CN=ECDSA CA Validity Not Before: Nov 17 13:59:13 2014 GMT Not After : Nov 16 13:59:13 2019 GMT Subject: C=SE, ST=Stockholm, O=AB, CN=fredrik.jans...@foo.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:08:64:d1:f6:4e:65:11:6e:81:6e:f6:ab:3b:80: bd:75:74:fc:5b:d5:31:3a:3a:33:32:f9:67:7f:1b: 05:55:fc:3b:bf:27:00:20:b7:1c:59:46:33:2a:b1: 20:52:68:2a:f6:40:66:16:5d:e1:e3:f1:cf:d3:e5: 31:c5:e5:1f:d3 ASN1 OID: prime256v1 Signature Algorithm: ecdsa-with-SHA256 30:65:02:31:00:e1:0a:7f:e9:e0:02:e2:28:1b:01:8b:ae:62: f8:e3:07:46:a9:66:0a:08:c8:e9:9c:00:87:e1:48:66:ce:5d: c1:bc:62:a0:63:00:14:8b:51:13:e7:f6:1d:25:d1:78:47:02: 30:68:90:11:17:f1:a2:42:dc:f4:48:44:90:a6:de:62:f7:f6: f5:a4:4d:e8:8d:d0:54:d8:6f:65:1b:b5:7e:4e:80:7b:f2:70: b5:53:a8:17:f2:fa:e7:bf:62:05:0e:b5:cd On Mon, Nov 17, 2014 at 1:19 PM, Fredrik Jansson <fredrik.jansson...@gmail.com> wrote: > More tests as you suggested: > > openssl s_client -tls1_2 -connect XXX:9103 > openssl s_server -state -tls1_2 -cipher SUITEB128 -accept 9103 > > Using default temp DH parameters > ACCEPT > SSL_accept:before/accept initialization > SSL3 alert write:fatal:handshake failure > SSL_accept:error in SSLv3 read client hello C > ERROR > 139990990374592:error:1408A0C1:SSL routines:ssl3_get_client_hello:no > shared cipher:s3_srvr.c:1398: > shutting down SSL > CONNECTION CLOSED > > Warm regards, > Fredrik > > On Mon, Nov 17, 2014 at 1:09 PM, Fredrik Jansson > <fredrik.jansson...@gmail.com> wrote: >> Hi! >> >> I have tried with s_client, and I get the same error. >> >> Is there any kind of logging callback I can add to my server code that >> might shed some light on this (I have set SSL_CTX_set_info_callback)? >> >> Fredrik >> >> On Mon, Nov 17, 2014 at 1:01 PM, Dr. Stephen Henson <st...@openssl.org> >> wrote: >>> On Mon, Nov 17, 2014, Fredrik Jansson wrote: >>> >>>> Some more info, >>>> >>>> SSL_get_ciphers on the server and client: >>>> Info 2014-Nov-17 10:48:26.961112 All.TLSVerbose >>>> ECDHE-ECDSA-AES128-GCM-SHA256 >>>> Info 2014-Nov-17 10:48:26.961114 All.TLSVerbose >>>> ECDHE-ECDSA-AES256-GCM-SHA384 >>>> >>>> When I do the same on the client, both of the ciphers above are listed >>>> (among with several others). >>>> >>> >>> I'd suggest you try suite B with s_server/s_client and see if you still get >>> an >>> error. >>> >>> Steve. >>> -- >>> Dr Stephen N. Henson. OpenSSL project core developer. >>> Commercial tech support now available see: http://www.openssl.org >>> ______________________________________________________________________ >>> OpenSSL Project http://www.openssl.org >>> User Support Mailing List openssl-users@openssl.org >>> Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org