Now it works, recreating the client cert with extensions as below made it work.
openssl x509 -noout -text -in frja-cert.pem Fredrik Certificate: Data: Version: 3 (0x2) Serial Number: 4 (0x4) Signature Algorithm: ecdsa-with-SHA256 Issuer: C=SE, ST=Stockholm, O=AB, CN=ECDSA CA Validity Not Before: Nov 17 14:11:55 2014 GMT Not After : Nov 16 14:11:55 2019 GMT Subject: C=SE, ST=Stockholm, O=AB, CN=fredrik.jans...@foo.com Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:08:64:d1:f6:4e:65:11:6e:81:6e:f6:ab:3b:80: bd:75:74:fc:5b:d5:31:3a:3a:33:32:f9:67:7f:1b: 05:55:fc:3b:bf:27:00:20:b7:1c:59:46:33:2a:b1: 20:52:68:2a:f6:40:66:16:5d:e1:e3:f1:cf:d3:e5: 31:c5:e5:1f:d3 ASN1 OID: prime256v1 X509v3 extensions: X509v3 Authority Key Identifier: keyid:79:22:2D:48:2F:87:81:39:C3:15:AE:F2:6F:EA:DE:11:35:CD:A3:E4 X509v3 Basic Constraints: CA:FALSE Signature Algorithm: ecdsa-with-SHA256 30:64:02:30:7f:4d:07:9e:9b:91:f6:4c:37:78:19:1b:4a:63: eb:a9:80:b0:8c:ab:44:3d:14:4b:44:1d:57:37:9a:6c:b7:db: cb:85:91:ae:23:46:d4:c5:1e:57:08:71:29:e9:6c:41:02:30: 79:d0:80:0a:86:cf:3f:18:cf:66:c6:84:07:73:cd:17:6b:15: 5d:25:45:59:86:22:f6:de:06:db:0c:60:8e:30:32:45:d6:c6: 01:16:a3:94:9d:cb:4e:fd:a6:6b:a1:73 On Mon, Nov 17, 2014 at 3:06 PM, Fredrik Jansson <fredrik.jansson...@gmail.com> wrote: > I actually got a bit further with a secp256r1 server certificate, I > also changed the server certificate version from 1 to 3. > > Now I get: > > Info 2014-Nov-17 15:03:18.625733 All.TLSVerbose ssl_info_cb: > write:fatal:certificate unknown > Info 2014-Nov-17 15:03:18.625759 All.TLSVerbose ssl_info_cb: > SSL_accept: error in SSLv3 read client certificate B (8577) > Info 2014-Nov-17 15:03:18.625763 All.TLS Accept failed with > verification error: Suite B: invalid signature algorithm > Error 2014-Nov-17 15:03:18.625777 All.TLS Accept failed with > error:14089086:SSL routines:ssl3_get_client_certificate:certificate > verify failed > > The signature of the client cert is ecdsa-with-SHA256 and the curve > for its key is prime256v1. > > All the best, > Fredrik > > openssl x509 -noout -text -in frja-cert.pem > > Certificate: > > Data: > > Version: 3 (0x2) > > Serial Number: 3 (0x3) > > Signature Algorithm: ecdsa-with-SHA256 > > Issuer: C=SE, ST=Stockholm, O=AB, CN=ECDSA CA > > Validity > > Not Before: Nov 17 13:59:13 2014 GMT > > Not After : Nov 16 13:59:13 2019 GMT > > Subject: C=SE, ST=Stockholm, O=AB, CN=fredrik.jans...@foo.com > > Subject Public Key Info: > > Public Key Algorithm: id-ecPublicKey > > Public-Key: (256 bit) > > pub: > > 04:08:64:d1:f6:4e:65:11:6e:81:6e:f6:ab:3b:80: > > bd:75:74:fc:5b:d5:31:3a:3a:33:32:f9:67:7f:1b: > > 05:55:fc:3b:bf:27:00:20:b7:1c:59:46:33:2a:b1: > > 20:52:68:2a:f6:40:66:16:5d:e1:e3:f1:cf:d3:e5: > > 31:c5:e5:1f:d3 > > ASN1 OID: prime256v1 > > Signature Algorithm: ecdsa-with-SHA256 > > 30:65:02:31:00:e1:0a:7f:e9:e0:02:e2:28:1b:01:8b:ae:62: > > f8:e3:07:46:a9:66:0a:08:c8:e9:9c:00:87:e1:48:66:ce:5d: > > c1:bc:62:a0:63:00:14:8b:51:13:e7:f6:1d:25:d1:78:47:02: > > 30:68:90:11:17:f1:a2:42:dc:f4:48:44:90:a6:de:62:f7:f6: > > f5:a4:4d:e8:8d:d0:54:d8:6f:65:1b:b5:7e:4e:80:7b:f2:70: > > b5:53:a8:17:f2:fa:e7:bf:62:05:0e:b5:cd > > > > On Mon, Nov 17, 2014 at 1:19 PM, Fredrik Jansson > <fredrik.jansson...@gmail.com> wrote: >> More tests as you suggested: >> >> openssl s_client -tls1_2 -connect XXX:9103 >> openssl s_server -state -tls1_2 -cipher SUITEB128 -accept 9103 >> >> Using default temp DH parameters >> ACCEPT >> SSL_accept:before/accept initialization >> SSL3 alert write:fatal:handshake failure >> SSL_accept:error in SSLv3 read client hello C >> ERROR >> 139990990374592:error:1408A0C1:SSL routines:ssl3_get_client_hello:no >> shared cipher:s3_srvr.c:1398: >> shutting down SSL >> CONNECTION CLOSED >> >> Warm regards, >> Fredrik >> >> On Mon, Nov 17, 2014 at 1:09 PM, Fredrik Jansson >> <fredrik.jansson...@gmail.com> wrote: >>> Hi! >>> >>> I have tried with s_client, and I get the same error. >>> >>> Is there any kind of logging callback I can add to my server code that >>> might shed some light on this (I have set SSL_CTX_set_info_callback)? >>> >>> Fredrik >>> >>> On Mon, Nov 17, 2014 at 1:01 PM, Dr. Stephen Henson <st...@openssl.org> >>> wrote: >>>> On Mon, Nov 17, 2014, Fredrik Jansson wrote: >>>> >>>>> Some more info, >>>>> >>>>> SSL_get_ciphers on the server and client: >>>>> Info 2014-Nov-17 10:48:26.961112 All.TLSVerbose >>>>> ECDHE-ECDSA-AES128-GCM-SHA256 >>>>> Info 2014-Nov-17 10:48:26.961114 All.TLSVerbose >>>>> ECDHE-ECDSA-AES256-GCM-SHA384 >>>>> >>>>> When I do the same on the client, both of the ciphers above are listed >>>>> (among with several others). >>>>> >>>> >>>> I'd suggest you try suite B with s_server/s_client and see if you still >>>> get an >>>> error. >>>> >>>> Steve. >>>> -- >>>> Dr Stephen N. Henson. OpenSSL project core developer. >>>> Commercial tech support now available see: http://www.openssl.org >>>> ______________________________________________________________________ >>>> OpenSSL Project http://www.openssl.org >>>> User Support Mailing List openssl-users@openssl.org >>>> Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org