[openssl-users] ecc negotiation

David Rufino david.rufino at gmail.com
Mon Apr 6 13:40:16 UTC 2015


Great, that works, thank you. Is this the default behavior when using the C
API?

Thanks,
David

On Sunday, April 5, 2015, Matt Caswell <matt at openssl.org> wrote:

>
>
> On 05/04/15 23:42, Matt Caswell wrote:
> >
> >
> > On 05/04/15 22:04, David Rufino wrote:
> >> Hello,
> >>
> >> It's possible I'm doing something wrong here, but I can't seem to
> >> negotiate ecdhe with an elliptic curve other than P-256. To reproduce
> >> the issue, using openssl 1.0.2
> >>
> >> openssl s_server  -key server.key -cert server.crt -msg -debug -dhparam
> >> dhparam.pem  -cipher ECDHE-RSA-AES128-SHA -tls1_2
> >>
> >> gnutls-cli 127.0.0.1 -p 4433 -d 4 --insecure
> >> --priority="NORMAL:-KX-ALL:+ECDHE-RSA:-CURVE-ALL:+CURVE-SECP224R1"
> >>
> >> which gives the error
> >>
> >> :SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1366:
> >>
> >> changing to p256r1 succeeds. is there a particular why the negotation
> >> would fail with p224 ? my understanding is that openssl supports all the
> >> nist curves.
> >
> >
> > Try adding "-named_curve secp224r1" to your s_server arguments. This
> > specifies the curve to use for ECDHE keys. The default if you don't
> > specify a named curve is P-256 which is why it works when you are using
> > that curve.
>
> BTW, you can also use "-named_curve auto", which will just pick an
> appropriate curve.
>
> Matt
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150406/d64a0397/attachment.html>


More information about the openssl-users mailing list