I actually got a bit further with a secp256r1 server certificate, I
also changed the server certificate version from 1 to 3.
Now I get:
Info 2014-Nov-17 15:03:18.625733 All.TLSVerbose ssl_info_cb:
write:fatal:certificate unknown
Info 2014-Nov-17 15:03:18.625759 All.TLSVerbose ssl_info_cb:
SSL_accept: error in SSLv3 read client certificate B (8577)
Info 2014-Nov-17 15:03:18.625763 All.TLS Accept failed with
verification error: Suite B: invalid signature algorithm
Error 2014-Nov-17 15:03:18.625777 All.TLS Accept failed with
error:14089086:SSL routines:ssl3_get_client_certificate:certificate
verify failed
The signature of the client cert is ecdsa-with-SHA256 and the curve
for its key is prime256v1.
All the best,
Fredrik
openssl x509 -noout -text -in frja-cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 3 (0x3)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=SE, ST=Stockholm, O=AB, CN=ECDSA CA
Validity
Not Before: Nov 17 13:59:13 2014 GMT
Not After : Nov 16 13:59:13 2019 GMT
Subject: C=SE, ST=Stockholm, O=AB, CN=fredrik.jans...@foo.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:08:64:d1:f6:4e:65:11:6e:81:6e:f6:ab:3b:80:
bd:75:74:fc:5b:d5:31:3a:3a:33:32:f9:67:7f:1b:
05:55:fc:3b:bf:27:00:20:b7:1c:59:46:33:2a:b1:
20:52:68:2a:f6:40:66:16:5d:e1:e3:f1:cf:d3:e5:
31:c5:e5:1f:d3
ASN1 OID: prime256v1
Signature Algorithm: ecdsa-with-SHA256
30:65:02:31:00:e1:0a:7f:e9:e0:02:e2:28:1b:01:8b:ae:62:
f8:e3:07:46:a9:66:0a:08:c8:e9:9c:00:87:e1:48:66:ce:5d:
c1:bc:62:a0:63:00:14:8b:51:13:e7:f6:1d:25:d1:78:47:02:
30:68:90:11:17:f1:a2:42:dc:f4:48:44:90:a6:de:62:f7:f6:
f5:a4:4d:e8:8d:d0:54:d8:6f:65:1b:b5:7e:4e:80:7b:f2:70:
b5:53:a8:17:f2:fa:e7:bf:62:05:0e:b5:cd
On Mon, Nov 17, 2014 at 1:19 PM, Fredrik Jansson
<fredrik.jansson...@gmail.com> wrote:
> More tests as you suggested:
>
> openssl s_client -tls1_2 -connect XXX:9103
> openssl s_server -state -tls1_2 -cipher SUITEB128 -accept 9103
>
> Using default temp DH parameters
> ACCEPT
> SSL_accept:before/accept initialization
> SSL3 alert write:fatal:handshake failure
> SSL_accept:error in SSLv3 read client hello C
> ERROR
> 139990990374592:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
> shared cipher:s3_srvr.c:1398:
> shutting down SSL
> CONNECTION CLOSED
>
> Warm regards,
> Fredrik
>
> On Mon, Nov 17, 2014 at 1:09 PM, Fredrik Jansson
> <fredrik.jansson...@gmail.com> wrote:
>> Hi!
>>
>> I have tried with s_client, and I get the same error.
>>
>> Is there any kind of logging callback I can add to my server code that
>> might shed some light on this (I have set SSL_CTX_set_info_callback)?
>>
>> Fredrik
>>
>> On Mon, Nov 17, 2014 at 1:01 PM, Dr. Stephen Henson <st...@openssl.org>
>> wrote:
>>> On Mon, Nov 17, 2014, Fredrik Jansson wrote:
>>>
>>>> Some more info,
>>>>
>>>> SSL_get_ciphers on the server and client:
>>>> Info 2014-Nov-17 10:48:26.961112 All.TLSVerbose
>>>> ECDHE-ECDSA-AES128-GCM-SHA256
>>>> Info 2014-Nov-17 10:48:26.961114 All.TLSVerbose
>>>> ECDHE-ECDSA-AES256-GCM-SHA384
>>>>
>>>> When I do the same on the client, both of the ciphers above are listed
>>>> (among with several others).
>>>>
>>>
>>> I'd suggest you try suite B with s_server/s_client and see if you still get
>>> an
>>> error.
>>>
>>> Steve.
>>> --
>>> Dr Stephen N. Henson. OpenSSL project core developer.
>>> Commercial tech support now available see: http://www.openssl.org
>>> ______________________________________________________________________
>>> OpenSSL Project http://www.openssl.org
>>> User Support Mailing List openssl-users@openssl.org
>>> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
