Now it works, recreating the client cert with extensions as below made it work.
openssl x509 -noout -text -in frja-cert.pem
Fredrik
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 4 (0x4)
Signature Algorithm: ecdsa-with-SHA256
Issuer: C=SE, ST=Stockholm, O=AB, CN=ECDSA CA
Validity
Not Before: Nov 17 14:11:55 2014 GMT
Not After : Nov 16 14:11:55 2019 GMT
Subject: C=SE, ST=Stockholm, O=AB, CN=fredrik.jans...@foo.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:08:64:d1:f6:4e:65:11:6e:81:6e:f6:ab:3b:80:
bd:75:74:fc:5b:d5:31:3a:3a:33:32:f9:67:7f:1b:
05:55:fc:3b:bf:27:00:20:b7:1c:59:46:33:2a:b1:
20:52:68:2a:f6:40:66:16:5d:e1:e3:f1:cf:d3:e5:
31:c5:e5:1f:d3
ASN1 OID: prime256v1
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:79:22:2D:48:2F:87:81:39:C3:15:AE:F2:6F:EA:DE:11:35:CD:A3:E4
X509v3 Basic Constraints:
CA:FALSE
Signature Algorithm: ecdsa-with-SHA256
30:64:02:30:7f:4d:07:9e:9b:91:f6:4c:37:78:19:1b:4a:63:
eb:a9:80:b0:8c:ab:44:3d:14:4b:44:1d:57:37:9a:6c:b7:db:
cb:85:91:ae:23:46:d4:c5:1e:57:08:71:29:e9:6c:41:02:30:
79:d0:80:0a:86:cf:3f:18:cf:66:c6:84:07:73:cd:17:6b:15:
5d:25:45:59:86:22:f6:de:06:db:0c:60:8e:30:32:45:d6:c6:
01:16:a3:94:9d:cb:4e:fd:a6:6b:a1:73
On Mon, Nov 17, 2014 at 3:06 PM, Fredrik Jansson
<fredrik.jansson...@gmail.com> wrote:
> I actually got a bit further with a secp256r1 server certificate, I
> also changed the server certificate version from 1 to 3.
>
> Now I get:
>
> Info 2014-Nov-17 15:03:18.625733 All.TLSVerbose ssl_info_cb:
> write:fatal:certificate unknown
> Info 2014-Nov-17 15:03:18.625759 All.TLSVerbose ssl_info_cb:
> SSL_accept: error in SSLv3 read client certificate B (8577)
> Info 2014-Nov-17 15:03:18.625763 All.TLS Accept failed with
> verification error: Suite B: invalid signature algorithm
> Error 2014-Nov-17 15:03:18.625777 All.TLS Accept failed with
> error:14089086:SSL routines:ssl3_get_client_certificate:certificate
> verify failed
>
> The signature of the client cert is ecdsa-with-SHA256 and the curve
> for its key is prime256v1.
>
> All the best,
> Fredrik
>
> openssl x509 -noout -text -in frja-cert.pem
>
> Certificate:
>
> Data:
>
> Version: 3 (0x2)
>
> Serial Number: 3 (0x3)
>
> Signature Algorithm: ecdsa-with-SHA256
>
> Issuer: C=SE, ST=Stockholm, O=AB, CN=ECDSA CA
>
> Validity
>
> Not Before: Nov 17 13:59:13 2014 GMT
>
> Not After : Nov 16 13:59:13 2019 GMT
>
> Subject: C=SE, ST=Stockholm, O=AB, CN=fredrik.jans...@foo.com
>
> Subject Public Key Info:
>
> Public Key Algorithm: id-ecPublicKey
>
> Public-Key: (256 bit)
>
> pub:
>
> 04:08:64:d1:f6:4e:65:11:6e:81:6e:f6:ab:3b:80:
>
> bd:75:74:fc:5b:d5:31:3a:3a:33:32:f9:67:7f:1b:
>
> 05:55:fc:3b:bf:27:00:20:b7:1c:59:46:33:2a:b1:
>
> 20:52:68:2a:f6:40:66:16:5d:e1:e3:f1:cf:d3:e5:
>
> 31:c5:e5:1f:d3
>
> ASN1 OID: prime256v1
>
> Signature Algorithm: ecdsa-with-SHA256
>
> 30:65:02:31:00:e1:0a:7f:e9:e0:02:e2:28:1b:01:8b:ae:62:
>
> f8:e3:07:46:a9:66:0a:08:c8:e9:9c:00:87:e1:48:66:ce:5d:
>
> c1:bc:62:a0:63:00:14:8b:51:13:e7:f6:1d:25:d1:78:47:02:
>
> 30:68:90:11:17:f1:a2:42:dc:f4:48:44:90:a6:de:62:f7:f6:
>
> f5:a4:4d:e8:8d:d0:54:d8:6f:65:1b:b5:7e:4e:80:7b:f2:70:
>
> b5:53:a8:17:f2:fa:e7:bf:62:05:0e:b5:cd
>
>
>
> On Mon, Nov 17, 2014 at 1:19 PM, Fredrik Jansson
> <fredrik.jansson...@gmail.com> wrote:
>> More tests as you suggested:
>>
>> openssl s_client -tls1_2 -connect XXX:9103
>> openssl s_server -state -tls1_2 -cipher SUITEB128 -accept 9103
>>
>> Using default temp DH parameters
>> ACCEPT
>> SSL_accept:before/accept initialization
>> SSL3 alert write:fatal:handshake failure
>> SSL_accept:error in SSLv3 read client hello C
>> ERROR
>> 139990990374592:error:1408A0C1:SSL routines:ssl3_get_client_hello:no
>> shared cipher:s3_srvr.c:1398:
>> shutting down SSL
>> CONNECTION CLOSED
>>
>> Warm regards,
>> Fredrik
>>
>> On Mon, Nov 17, 2014 at 1:09 PM, Fredrik Jansson
>> <fredrik.jansson...@gmail.com> wrote:
>>> Hi!
>>>
>>> I have tried with s_client, and I get the same error.
>>>
>>> Is there any kind of logging callback I can add to my server code that
>>> might shed some light on this (I have set SSL_CTX_set_info_callback)?
>>>
>>> Fredrik
>>>
>>> On Mon, Nov 17, 2014 at 1:01 PM, Dr. Stephen Henson <st...@openssl.org>
>>> wrote:
>>>> On Mon, Nov 17, 2014, Fredrik Jansson wrote:
>>>>
>>>>> Some more info,
>>>>>
>>>>> SSL_get_ciphers on the server and client:
>>>>> Info 2014-Nov-17 10:48:26.961112 All.TLSVerbose
>>>>> ECDHE-ECDSA-AES128-GCM-SHA256
>>>>> Info 2014-Nov-17 10:48:26.961114 All.TLSVerbose
>>>>> ECDHE-ECDSA-AES256-GCM-SHA384
>>>>>
>>>>> When I do the same on the client, both of the ciphers above are listed
>>>>> (among with several others).
>>>>>
>>>>
>>>> I'd suggest you try suite B with s_server/s_client and see if you still
>>>> get an
>>>> error.
>>>>
>>>> Steve.
>>>> --
>>>> Dr Stephen N. Henson. OpenSSL project core developer.
>>>> Commercial tech support now available see: http://www.openssl.org
>>>> ______________________________________________________________________
>>>> OpenSSL Project http://www.openssl.org
>>>> User Support Mailing List openssl-users@openssl.org
>>>> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
