[openssl-users] Diffie-Hellman Questions

Jeremy Farrell jeremy.farrell at oracle.com
Wed May 25 21:10:11 UTC 2016


Interesting; is this a server-side requirement? I ask because with 
1.0.2g my client using "AECDH+AES:ADH+AES" makes a TLS 1.2 connection 
with AECDH-AES256-SHA without calling this function or similar.

Regards,
                        jjf

On 25/05/2016 21:31, Norm Green wrote:
> Yes!  That was the problem.  In order to use cipher "AECDH", 
> SSL_CTX_set_ecdh_auto(ctx, 1) must be called first.
>
> Thanks Michael!!
>
> Norm
>
>
> On 5/24/16 15:52, Michael Wojcik wrote:
>>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On 
>>> Behalf
>>> Of Norm Green
>>> Sent: Tuesday, May 24, 2016 13:40
>>>
>>> I've tried both:
>>>
>>> SSL_CTX_set_cipher_list("AECDH")
>>>
>>> and:
>>>
>>> SSL_CTX_set_cipher_list("AECDH-AES256-SHA")
>>>
>>> on both the client and server side, both of which result in the dreaded
>>> "no shared cipher" error:
>>>
>>> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
>>> cipher:s3_srvr.c:1417:
>> You might run a wire trace to see what suites the client is actually 
>> advertising.
>>
>> And you are using TLS, right?
>>
>> For AECDH* (or any ECC suite), don't you have to tell OpenSSL what 
>> curve to use? I haven't implemented that bit myself in any 
>> applications, but my understanding is that with OpenSSL 1.0.2 you can 
>> just call SSL_CTX_set_ecdh_auto(ctx, 1). With 1.0.1 you have to 
>> specify a particular named curve with SSL_CTX_set_tmp_ecdh.

-- 
J. J. Farrell
Not speaking for Oracle

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160525/78621bb6/attachment.html>


More information about the openssl-users mailing list