[openssl-users] Diffie-Hellman Questions

Norm Green norm.green at gemtalksystems.com
Wed May 25 21:58:35 UTC 2016


Yes, it's only required on the server.

Norm Green

On 5/25/16 14:10, Jeremy Farrell wrote:
> Interesting; is this a server-side requirement? I ask because with 
> 1.0.2g my client using "AECDH+AES:ADH+AES" makes a TLS 1.2 connection 
> with AECDH-AES256-SHA without calling this function or similar.
>
> Regards,
>                        jjf
>
> On 25/05/2016 21:31, Norm Green wrote:
>> Yes!  That was the problem.  In order to use cipher "AECDH", 
>> SSL_CTX_set_ecdh_auto(ctx, 1) must be called first.
>>
>> Thanks Michael!!
>>
>> Norm
>>
>>
>> On 5/24/16 15:52, Michael Wojcik wrote:
>>>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On 
>>>> Behalf
>>>> Of Norm Green
>>>> Sent: Tuesday, May 24, 2016 13:40
>>>>
>>>> I've tried both:
>>>>
>>>> SSL_CTX_set_cipher_list("AECDH")
>>>>
>>>> and:
>>>>
>>>> SSL_CTX_set_cipher_list("AECDH-AES256-SHA")
>>>>
>>>> on both the client and server side, both of which result in the 
>>>> dreaded
>>>> "no shared cipher" error:
>>>>
>>>> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
>>>> cipher:s3_srvr.c:1417:
>>> You might run a wire trace to see what suites the client is actually 
>>> advertising.
>>>
>>> And you are using TLS, right?
>>>
>>> For AECDH* (or any ECC suite), don't you have to tell OpenSSL what 
>>> curve to use? I haven't implemented that bit myself in any 
>>> applications, but my understanding is that with OpenSSL 1.0.2 you 
>>> can just call SSL_CTX_set_ecdh_auto(ctx, 1). With 1.0.1 you have to 
>>> specify a particular named curve with SSL_CTX_set_tmp_ecdh.
>
> -- 
> J. J. Farrell
> Not speaking for Oracle
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160525/e659a570/attachment.html>


More information about the openssl-users mailing list