[openssl-users] tls handshake fail using cipher ECDHE-ECDSA-AES256-GCM-SHA384
Pravesh Rai
pravesh.rai at gmail.com
Fri Jan 19 15:40:17 UTC 2018
Following link might give you, some clue about the problem:
https://stackoverflow.com/questions/30446431/wrong-cipher-suite-or-no-connection-with-openssl-server
Regards,
PR
On Fri, Jan 12, 2018 at 9:27 PM, johan persson <johan.persson.192 at gmail.com>
wrote:
> I have problem doing handshake using "ECDHE-ECDSA-AES256-GCM-SHA384"
> cipher.
> OpenSSL 1.0.2h
>
> This is how I generate test certificates.
> openssl ecparam -out /data/ca.key -name secp256k1 -genkey
> openssl req -x509 -new -key /data/ca.key -out /data/ca.pem -outform PEM
> -days 3650 -subj '/C=SE/ST=S/L=M/O=V/CN=SERVER
> openssl ecparam -out /data/server.key -name secp256k1 -genkey
> openssl req -new -nodes -key /data/server.key -outform pem -out
> /data/server.req -subj '/C=SE/ST=S/L=M/O=V/CN=SERVER'
> openssl ecparam -out /data/client.key -name secp256k1 -genkey
> openssl req -new -nodes -key /data/client.key -outform pem -out
> /data/client.req -subj '/C=SE/ST=S/L=M/O=V/CN=CLIENT'
> openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in
> /data/server.req -out /data/server.pem -outdir /data/
> openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in
> /data/client.req -out /data/client.pem -outdir /data/
>
>
> Running the following test:
> openssl s_server -accept 10000 -cert server.pem -key server.key -CAfile
> ca.pem -debug -tlsextdebug
> openssl s_client -connect localhost:10000 -cert client.pem -key client.key
> -CAfile ca.pem -tls1_2
>
> I get a handshake working ok with the cipher I want
> "ECDHE-ECDSA-AES256-GCM-SHA384", perfect!:
>
>
> Now, using my own tls server I only get "ECDH-ECDSA-AES256-GCM-SHA384" to
> work. I cannot use "ECDHE-ECDSA-AES256-GCM-SHA384" which I want.
> Anyone knows what I'm missing from the following setup?:
>
> #define VOC_TLS_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384" << NOT WORKING
> //#define VOC_TLS_CIPHERS "ECDH-ECDSA-AES256-GCM-SHA384" << WORKING
>
> // Init for OpenSSL
> SSL_library_init();
> OpenSSL_add_all_algorithms();
> SSL_load_error_strings();
>
> ctx_ = SSL_CTX_new(TLSv1_2_server_method());
> if (ctx_ == NULL)
> {
> LOG(LOG_WARN, "Tls: %s: Failed to create TLS context", __FUNCTION__);
> return RET_FAIL;
> }
>
> (Load Ca cert, server and server private key)
>
> if (SSL_CTX_set_ecdh_auto(ctx_, 1)) {
> LOG(LOG_WARN, "Tls: %s: Failed to set ECDH auto pick", __FUNCTION__);
> return RET_FAIL;
> }
>
> if (!SSL_CTX_set_cipher_list(ctx_, VOC_TLS_CIPHERS)) {
> LOG(LOG_WARN, "Tls: %s: Failed to set cipher list: %s\n",
> __FUNCTION__, VOC_TLS_CIPHERS);
> return RET_FAIL;
> }
>
> ssl_ = SSL_new(ctx_);
>
> error on server side:
> <ECDHE-ECDSA-AES256-GCM-SHA384>
> Server has 1 from 0xb475ef98:
> 0xb6daa440:ECDHE-ECDSA-AES256-GCM-SHA384
> Client sent 1 from 0xb3502308:
> 0xb6daa440:ECDHE-ECDSA-AES256-GCM-SHA384
> rt=0 rte=0 dht=0 ecdht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0
> 0:[00000080:00000040:00000140:000000D4]0xb6daa440:ECDHE-ECDS
> A-AES256-GCM-SHA384
> 2958031164:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
> cipher:s3_srvr.c:1417:
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180119/1f57427b/attachment-0001.html>
More information about the openssl-users
mailing list