<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Yes, it's only required on the server.<br>
<br>
Norm Green<br>
<br>
<div class="moz-cite-prefix">On 5/25/16 14:10, Jeremy Farrell wrote:<br>
</div>
<blockquote
cite="mid:a1236d6b-7fdc-8cf0-b1ce-7e7daf6d5fa1@oracle.com"
type="cite">
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<font face="Calibri">Interesting; is this a server-side
requirement? I ask because with 1.0.2g my client using
"AECDH+AES:ADH+AES" makes a TLS 1.2 connection with
AECDH-AES256-SHA without calling this function or similar.<br>
<br>
Regards,<br>
jjf<br>
</font><br>
<div class="moz-cite-prefix">On 25/05/2016 21:31, Norm Green
wrote:<br>
</div>
<blockquote
cite="mid:aeb1c279-baa1-dfe3-8437-fbe7bab447bd@gemtalksystems.com"
type="cite">Yes! That was the problem. In order to use cipher
"AECDH", SSL_CTX_set_ecdh_auto(ctx, 1) must be called first. <br>
<br>
Thanks Michael!! <br>
<br>
Norm <br>
<br>
<br>
On 5/24/16 15:52, Michael Wojcik wrote: <br>
<blockquote type="cite">
<blockquote type="cite">From: openssl-users [<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="mailto:openssl-users-bounces@openssl.org"><a class="moz-txt-link-freetext" href="mailto:openssl-users-bounces@openssl.org">mailto:openssl-users-bounces@openssl.org</a></a>]
On Behalf <br>
Of Norm Green <br>
Sent: Tuesday, May 24, 2016 13:40 <br>
<br>
I've tried both: <br>
<br>
SSL_CTX_set_cipher_list("AECDH") <br>
<br>
and: <br>
<br>
SSL_CTX_set_cipher_list("AECDH-AES256-SHA") <br>
<br>
on both the client and server side, both of which result in
the dreaded <br>
"no shared cipher" error: <br>
<br>
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
<br>
cipher:s3_srvr.c:1417: <br>
</blockquote>
You might run a wire trace to see what suites the client is
actually advertising. <br>
<br>
And you are using TLS, right? <br>
<br>
For AECDH* (or any ECC suite), don't you have to tell OpenSSL
what curve to use? I haven't implemented that bit myself in
any applications, but my understanding is that with OpenSSL
1.0.2 you can just call SSL_CTX_set_ecdh_auto(ctx, 1). With
1.0.1 you have to specify a particular named curve with
SSL_CTX_set_tmp_ecdh. <br>
</blockquote>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
J. J. Farrell
Not speaking for Oracle
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>