[openssl-users] tls handshake fail using cipher ECDHE-ECDSA-AES256-GCM-SHA384

johan persson johan.persson.192 at gmail.com
Fri Jan 12 15:57:31 UTC 2018


I have problem doing handshake using "ECDHE-ECDSA-AES256-GCM-SHA384"
cipher.
OpenSSL 1.0.2h

This is how I generate test certificates.
openssl ecparam -out /data/ca.key -name secp256k1 -genkey
openssl req -x509 -new -key /data/ca.key -out /data/ca.pem -outform PEM
-days 3650 -subj '/C=SE/ST=S/L=M/O=V/CN=SERVER
openssl ecparam -out /data/server.key -name secp256k1 -genkey
openssl req -new -nodes -key /data/server.key -outform pem -out
/data/server.req -subj '/C=SE/ST=S/L=M/O=V/CN=SERVER'
openssl ecparam -out /data/client.key -name secp256k1 -genkey
openssl req -new -nodes -key /data/client.key -outform pem -out
/data/client.req -subj '/C=SE/ST=S/L=M/O=V/CN=CLIENT'
openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in
/data/server.req -out /data/server.pem -outdir /data/
openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in
/data/client.req -out /data/client.pem -outdir /data/


Running the following test:
openssl s_server -accept 10000 -cert server.pem -key server.key -CAfile
ca.pem -debug -tlsextdebug
openssl s_client -connect localhost:10000 -cert client.pem -key client.key
-CAfile ca.pem -tls1_2

I get a handshake working ok with the cipher I want
"ECDHE-ECDSA-AES256-GCM-SHA384",
perfect!:


Now, using my own tls server I only get "ECDH-ECDSA-AES256-GCM-SHA384" to
work. I cannot use "ECDHE-ECDSA-AES256-GCM-SHA384" which I want.
Anyone knows what I'm missing from the following setup?:

#define VOC_TLS_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384" << NOT WORKING
//#define VOC_TLS_CIPHERS "ECDH-ECDSA-AES256-GCM-SHA384" << WORKING

// Init for OpenSSL
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();

ctx_ = SSL_CTX_new(TLSv1_2_server_method());
if (ctx_ == NULL)
{
   LOG(LOG_WARN, "Tls: %s: Failed to create TLS context", __FUNCTION__);
   return RET_FAIL;
}

(Load Ca cert, server and server private key)

if (SSL_CTX_set_ecdh_auto(ctx_, 1)) {
   LOG(LOG_WARN, "Tls: %s: Failed to set ECDH auto pick", __FUNCTION__);
   return RET_FAIL;
}

if (!SSL_CTX_set_cipher_list(ctx_, VOC_TLS_CIPHERS)) {
    LOG(LOG_WARN, "Tls: %s: Failed to set cipher list: %s\n", __FUNCTION__,
VOC_TLS_CIPHERS);
    return RET_FAIL;
}

ssl_ = SSL_new(ctx_);

error on server side:
<ECDHE-ECDSA-AES256-GCM-SHA384>
Server has 1 from 0xb475ef98:
0xb6daa440:ECDHE-ECDSA-AES256-GCM-SHA384
Client sent 1 from 0xb3502308:
0xb6daa440:ECDHE-ECDSA-AES256-GCM-SHA384
rt=0 rte=0 dht=0 ecdht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
0:[00000080:00000040:00000140:000000D4]0xb6daa440:ECDHE-
ECDSA-AES256-GCM-SHA384
2958031164:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
cipher:s3_srvr.c:1417:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180112/1db901ba/attachment-0001.html>


More information about the openssl-users mailing list