<div dir="ltr">Following link might give you, some clue about the problem:<div><br></div><div><a href="https://stackoverflow.com/questions/30446431/wrong-cipher-suite-or-no-connection-with-openssl-server">https://stackoverflow.com/questions/30446431/wrong-cipher-suite-or-no-connection-with-openssl-server</a><br></div><div><br></div><div>Regards,</div><div>PR</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 12, 2018 at 9:27 PM, johan persson <span dir="ltr"><<a href="mailto:johan.persson.192@gmail.com" target="_blank">johan.persson.192@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">I have problem doing handshake using "ECDHE-ECDSA-AES256-GCM-</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SHA384<wbr>" cipher. </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">OpenSSL 1.0.2h </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">This is how I generate test certificates. </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl ecparam -out /data/ca.key -name secp256k1 -genkey </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl req -x509 -new -key /data/ca.key -out /data/ca.pem -outform PEM -days 3650 -subj '/C=SE/ST=S/L=M/O=V/CN=SERVER </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl ecparam -out /data/server.key -name secp256k1 -genkey </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl req -new -nodes -key /data/server.key -outform pem -out /data/server.req -subj '/C=SE/ST=S/L=M/O=V/CN=</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SERVER'<wbr> </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl ecparam -out /data/client.key -name secp256k1 -genkey </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl req -new -nodes -key /data/client.key -outform pem -out /data/client.req -subj '/C=SE/ST=S/L=M/O=V/CN=CLIENT'<wbr> </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in /data/server.req -out /data/server.pem -outdir /data/ </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in /data/client.req -out /data/client.pem -outdir /data/ </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">Running the following test: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl s_server -accept 10000 -cert server.pem -key server.key -CAfile ca.pem -debug -tlsextdebug </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">openssl s_client -connect localhost:10000 -cert client.pem -key client.key -CAfile ca.pem -tls1_2 </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">I get a handshake working ok with the cipher I want "ECDHE-ECDSA-AES256-GCM-</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SHA384<wbr>", perfect!: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">Now, using my own tls server I only get "ECDH-ECDSA-AES256-GCM-SHA384" to work. I cannot use "ECDHE-ECDSA-AES256-GCM-</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SHA384<wbr>" which I want. </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">Anyone knows what I'm missing from the following setup?: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">#define VOC_TLS_CIPHERS "ECDHE-ECDSA-AES256-GCM-</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SHA384<wbr>" << NOT WORKING </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">//#define VOC_TLS_CIPHERS "ECDH-ECDSA-AES256-GCM-SHA384" << WORKING </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">// Init for OpenSSL </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SSL_library_init(); </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">OpenSSL_add_all_algorithms(); </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SSL_load_error_strings(); </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">ctx_ = SSL_CTX_new(TLSv1_2_server_</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">met<wbr>hod()); </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">if (ctx_ == NULL) </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">{ </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">   LOG(LOG_WARN, "Tls: %s: Failed to create TLS context", __FUNCTION__); </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">   return RET_FAIL; </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">} </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">(Load Ca cert, server and server private key) </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">if (SSL_CTX_set_ecdh_auto(ctx_, 1)) { </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">   LOG(LOG_WARN, "Tls: %s: Failed to set ECDH auto pick", __FUNCTION__); </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">   return RET_FAIL; </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">} </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">if (!SSL_CTX_set_cipher_list(ctx_</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><wbr>, VOC_TLS_CIPHERS)) { </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">    LOG(LOG_WARN, "Tls: %s: Failed to set cipher list: %s\n", __FUNCTION__, VOC_TLS_CIPHERS); </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">    return RET_FAIL; </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">} </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">ssl_ = SSL_new(ctx_); </span><br><div><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></span></div><div><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">error on server side:</span></div><div><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><ECDHE-ECDSA-AES256-GCM-</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">SHA384<wbr>> </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">Server has 1 from 0xb475ef98: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">0xb6daa440:ECDHE-ECDSA-AES256-</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><wbr>GCM-SHA384 </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">Client sent 1 from 0xb3502308: </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">0xb6daa440:ECDHE-ECDSA-AES256-</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><wbr>GCM-SHA384 </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">rt=0 rte=0 dht=0 ecdht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">0:[00000080:00000040:00000140:</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><wbr>000000D4]0xb6daa440:ECDHE-</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">ECDS<wbr>A-AES256-GCM-SHA384 </span><br style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">2958031164:error:1408A0C1:SSL routines:ssl3_get_client_</span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px">hello<wbr>:no shared cipher:s3_srvr.c:1417: </span><span style="font-family:Arial,Helvetica,sans-serif;font-size:13px"><br></span></div></div>
<br>--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
<br></blockquote></div><br></div>