<div dir="ltr"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">I have problem doing handshake using "ECDHE-ECDSA-AES256-GCM-</span><wbr style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SHA384" cipher. </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">OpenSSL 1.0.2h </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">This is how I generate test certificates. </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl ecparam -out /data/ca.key -name secp256k1 -genkey </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl req -x509 -new -key /data/ca.key -out /data/ca.pem -outform PEM -days 3650 -subj '/C=SE/ST=S/L=M/O=V/CN=SERVER </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl ecparam -out /data/server.key -name secp256k1 -genkey </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl req -new -nodes -key /data/server.key -outform pem -out /data/server.req -subj '/C=SE/ST=S/L=M/O=V/CN=</span><wbr style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SERVER' </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl ecparam -out /data/client.key -name secp256k1 -genkey </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl req -new -nodes -key /data/client.key -outform pem -out /data/client.req -subj '/C=SE/ST=S/L=M/O=V/CN=CLIENT' </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in /data/server.req -out /data/server.pem -outdir /data/ </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in /data/client.req -out /data/client.pem -outdir /data/ </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">Running the following test: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl s_server -accept 10000 -cert server.pem -key server.key -CAfile ca.pem -debug -tlsextdebug </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl s_client -connect localhost:10000 -cert client.pem -key client.key -CAfile ca.pem -tls1_2 </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">I get a handshake working ok with the cipher I want "ECDHE-ECDSA-AES256-GCM-</span><wbr style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SHA384", perfect!: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">Now, using my own tls server I only get "ECDH-ECDSA-AES256-GCM-SHA384" to work. I cannot use "ECDHE-ECDSA-AES256-GCM-</span><wbr style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SHA384" which I want. </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">Anyone knows what I'm missing from the following setup?: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">#define VOC_TLS_CIPHERS "ECDHE-ECDSA-AES256-GCM-</span><wbr style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SHA384" << NOT WORKING </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">//#define VOC_TLS_CIPHERS "ECDH-ECDSA-AES256-GCM-SHA384" << WORKING </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">// Init for OpenSSL </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SSL_library_init(); </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">OpenSSL_add_all_algorithms(); </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SSL_load_error_strings(); </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">ctx_ = SSL_CTX_new(TLSv1_2_server_</span><wbr style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">method()); </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">if (ctx_ == NULL) </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">{ </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">   LOG(LOG_WARN, "Tls: %s: Failed to create TLS context", __FUNCTION__); </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">   return RET_FAIL; </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">} </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">(Load Ca cert, server and server private key) </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">if (SSL_CTX_set_ecdh_auto(ctx_, 1)) { </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">   LOG(LOG_WARN, "Tls: %s: Failed to set ECDH auto pick", __FUNCTION__); </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">   return RET_FAIL; </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">} </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">if (!SSL_CTX_set_cipher_list(ctx_</span><wbr style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">, VOC_TLS_CIPHERS)) { </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">    LOG(LOG_WARN, "Tls: %s: Failed to set cipher list: %s\n", __FUNCTION__, VOC_TLS_CIPHERS); </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">    return RET_FAIL; </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">} </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">ssl_ = SSL_new(ctx_); </span><br><div><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">error on server side:</span></div><div><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><ECDHE-ECDSA-AES256-GCM-</span><wbr style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SHA384> </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">Server has 1 from 0xb475ef98: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">0xb6daa440:ECDHE-ECDSA-AES256-</span><wbr style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">GCM-SHA384 </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">Client sent 1 from 0xb3502308: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">0xb6daa440:ECDHE-ECDSA-AES256-</span><wbr style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">GCM-SHA384 </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">rt=0 rte=0 dht=0 ecdht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">0:[00000080:00000040:00000140:</span><wbr style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">000000D4]0xb6daa440:ECDHE-</span><wbr style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">ECDSA-AES256-GCM-SHA384 </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">2958031164:error:1408A0C1:SSL routines:ssl3_get_client_</span><wbr style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">hello:no shared cipher:s3_srvr.c:1417: </span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></span></div></div>