Will OpenSSL support DTLS client authentication using ECDH certificate?

[daniel.warren]

Using 1.0.0a s_server and s_client I was able to get TLS server only
authentication and client and server authentication using ECDH
certificates to work.  
Using 1.0.0a s_server and s_client I was not able to get DTLS to work.  
I found a comment in the code that 
For now, we do not support client authentication using ECDH
certificates.
Will OpenSSL add support for DTLS client authentication using ECDH
certificate?
Also does anyone know why my DTLS EC server authentication failed?

TLS EC Server Authentication
openssl s_server  -accept 9001 -cert certs/secp256r1TestServer.pem -key
private/secp256r1TestServer.key  -CAfile ./ca-certs/secp256r1TestCA.pem
-cipher ECDHE-ECDSA-AES256-SHA
openssl s_client  -connect localhost:9001  -CAfile
./ca-certs/secp256r1TestCA.pem -cipher ECDHE-ECDSA-AES256-SHA
Shared ciphers:ECDHE-ECDSA-AES256-SHA
CIPHER is ECDHE-ECDSA-AES256-SHA

TLS EC Client and Server Authentication
openssl s_server  -accept 9001 -cert certs/secp256r1TestServer.pem -key
private/secp256r1TestServer.key  -CAfile ./ca-certs/secp256r1TestCA.pem
-cipher ECDHE-ECDSA-AES256-SHA
openssl s_client  -connect localhost:9001 -cert
certs/secp256r1TestClient.pem -key private/secp256r1TestClient.key
-CAfile ./ca-certs/secp256r1TestCA.pem -cipher ECDHE-ECDSA-AES256-SHA
Shared ciphers:ECDHE-ECDSA-AES256-SHA
CIPHER is ECDHE-ECDSA-AES256-SHA

DTLS EC Server Authentication
openssl s_server -dtls1 -accept 9001 -cert certs/secp256r1TestServer.pem
-key private/secp256r1TestServer.key  -CAfile
./ca-certs/secp256r1TestCA.pem  -cipher ECDHE-ECDSA-AES256-SHA
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
ERROR
5932:error:1408A044:SSL routines:SSL3_GET_CLIENT_HELLO:internal
error:s3_srvr.c:
725:
shutting down SSL
CONNECTION CLOSED

openssl s_client -dtls1 -connect localhost:9001  -CAfile
./ca-certs/secp256r1TestCA.pem -cipher ECDHE-ECDSA-AES256-SHA
CONNECTED(0003)
6092:error:14102410:SSL routines:DTLS1_READ_BYTES:sslv3 alert handshake
failure:
d1_pkt.c:963:SSL alert number 40
6092:error:1410C0E5:SSL routines:DTLS1_WRITE_APP_DATA_BYTES:ssl
handshake failure:d1_pkt.c:1153:

Dan Warren

Re: Will OpenSSL support DTLS client authentication using ECDH certificate?

[Justin Lai]

On 10/8/10, daniel.war...@gdc4s.com daniel.war...@gdc4s.com wrote:
 Using 1.0.0a s_server and s_client I was able to get TLS server only
 authentication and client and server authentication using ECDH
 certificates to work.
 Using 1.0.0a s_server and s_client I was not able to get DTLS to work.
 I found a comment in the code that
 For now, we do not support client authentication using ECDH
 certificates.
 Will OpenSSL add support for DTLS client authentication using ECDH
 certificate?
 Also does anyone know why my DTLS EC server authentication failed?

 TLS EC Server Authentication
 openssl s_server  -accept 9001 -cert certs/secp256r1TestServer.pem -key
 private/secp256r1TestServer.key  -CAfile ./ca-certs/secp256r1TestCA.pem
 -cipher ECDHE-ECDSA-AES256-SHA
 openssl s_client  -connect localhost:9001  -CAfile
 ./ca-certs/secp256r1TestCA.pem -cipher ECDHE-ECDSA-AES256-SHA
 Shared ciphers:ECDHE-ECDSA-AES256-SHA
 CIPHER is ECDHE-ECDSA-AES256-SHA

 TLS EC Client and Server Authentication
 openssl s_server  -accept 9001 -cert certs/secp256r1TestServer.pem -key
 private/secp256r1TestServer.key  -CAfile ./ca-certs/secp256r1TestCA.pem
 -cipher ECDHE-ECDSA-AES256-SHA
 openssl s_client  -connect localhost:9001 -cert
 certs/secp256r1TestClient.pem -key private/secp256r1TestClient.key
 -CAfile ./ca-certs/secp256r1TestCA.pem -cipher ECDHE-ECDSA-AES256-SHA
 Shared ciphers:ECDHE-ECDSA-AES256-SHA
 CIPHER is ECDHE-ECDSA-AES256-SHA

 DTLS EC Server Authentication
 openssl s_server -dtls1 -accept 9001 -cert certs/secp256r1TestServer.pem
 -key private/secp256r1TestServer.key  -CAfile
 ./ca-certs/secp256r1TestCA.pem  -cipher ECDHE-ECDSA-AES256-SHA
 Using default temp DH parameters
 Using default temp ECDH parameters
 ACCEPT
 ERROR
 5932:error:1408A044:SSL routines:SSL3_GET_CLIENT_HELLO:internal
 error:s3_srvr.c:
 725:
 shutting down SSL
 CONNECTION CLOSED

 openssl s_client -dtls1 -connect localhost:9001  -CAfile
 ./ca-certs/secp256r1TestCA.pem -cipher ECDHE-ECDSA-AES256-SHA
 CONNECTED(0003)
 6092:error:14102410:SSL routines:DTLS1_READ_BYTES:sslv3 alert handshake
 failure:
 d1_pkt.c:963:SSL alert number 40
 6092:error:1410C0E5:SSL routines:DTLS1_WRITE_APP_DATA_BYTES:ssl
 handshake failure:d1_pkt.c:1153:

 Dan Warren




-- 
Sent from my mobile device
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org