[openssl-users] ecc negotiation
Matt Caswell
matt at openssl.org
Sun Apr 5 22:42:06 UTC 2015
On 05/04/15 22:04, David Rufino wrote:
> Hello,
>
> It's possible I'm doing something wrong here, but I can't seem to
> negotiate ecdhe with an elliptic curve other than P-256. To reproduce
> the issue, using openssl 1.0.2
>
> openssl s_server -key server.key -cert server.crt -msg -debug -dhparam
> dhparam.pem -cipher ECDHE-RSA-AES128-SHA -tls1_2
>
> gnutls-cli 127.0.0.1 -p 4433 -d 4 --insecure
> --priority="NORMAL:-KX-ALL:+ECDHE-RSA:-CURVE-ALL:+CURVE-SECP224R1"
>
> which gives the error
>
> :SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1366:
>
> changing to p256r1 succeeds. is there a particular why the negotation
> would fail with p224 ? my understanding is that openssl supports all the
> nist curves.
Try adding "-named_curve secp224r1" to your s_server arguments. This
specifies the curve to use for ECDHE keys. The default if you don't
specify a named curve is P-256 which is why it works when you are using
that curve.
Matt
More information about the openssl-users
mailing list