[openssl-users] Problem with using EC private keys
rmawatson rmawatson
rmawatson at hotmail.com
Wed Nov 1 17:16:09 UTC 2017
Hi,
I am confused about the two different ways I can generate an EC private key and why this is causing me problems with the test s_client s_server applications
So, I am using the command below to generate a private key, then using this to create
a certificate to work with openssl s_client s_server.
openssl ecparam -name secp384r1 -genkey -out privkey.pem (1)
I then create the .csr with the following two commands,
openssl req -key privkey.pem -out pub.csr -new (2)
openssl x509 -req -in pub.csr -signkey privkey.pem -out pub.crt (3)
This works with s_server/s_client.
But, when I generate a key like this:
openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:secp384r1 -out privkey.pem (4)
If I now create a signed .crt with (2) and (3) above, then use this pair with openssl s_server
it does not negotiate a cipher suite and it doesn't work.
Client:
CONNECTED(00000154)
2546392219:error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert handshake failure:ssl_pkt.c:1205:SSL alert number 40
2546392219:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake failure:ssl_pkt.c:585:
...
Server:
...
ERROR
2867046282:error:140270C1:SSL routines:ACCEPT_SR_CLNT_HELLO_C:no shared cipher:ssl_srvr.c:1024:
shutting down SSL
CONNECTION CLOSED
Using this url (https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations) It turns out, if I take the key generated by (4) above, and convert it to pk8 with
openssl pkcs8 -topk8 -nocrypt -in privkey_ec.pem -out privkey.pem
If I now use this key to create the .crt and use this key pair with openssl s_server it works.
My question is why does the format of the private key make any difference. Surely openssl can decode the key in any supported format, after all it created it, and all
the required information must be in it, as it is able to convert to pk8 format that works.
Note:
I am running openssl server/client like this..
openssl.exe s_server -tls1_2 -key privkey.pem -cert pub.crt -debug
and
openssl.exe s_client -tls1_2
Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171101/747160a8/attachment-0001.html>
More information about the openssl-users
mailing list