Great, I finally don't see the error.
Is there any other way to disable ECDHE other than from command line? I couldn't find any command to disable ECDHE in the generation of the ECC cert. I also tried editing SSLCipherSuite to ALL:!ADH:!EXPORT56:RC4+RSA:-kEECDH:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL or ALL:!ADH:!EXPORT56:RC4+RSA:-kECDHe:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL where I expected -kEECDH or -kECDHE or to disable ECDHE. Unfortunately, it didn't worked out. Many thanks! ----- Original Message ---- From: Marek Marcola <[EMAIL PROTECTED]> To: openssl-users@openssl.org Sent: Thursday, 19 October 2006 7:06:48 PM Subject: Re: sslv3 alert handshake failure Hello, > Like to clarify one point, am I right to say the peer (client) we are > referring to here is the browser? Browser or any other SSL client. > I'm using Firefox 2 Beta 1 which I know has ECC support. I had > performed a test at tls.secg.org to verify this. According to Firefox documetation ECC support is presently limited to curves of 256, 384, and 521 bits. But after creating ECC secp521r1 I was unable to connect with Firefox too, but now I had error -8092 which means SEC_ERROR_KEYGEN_FAIL. After looking at source code of Firefox there was place in mozilla/security/nss/lib/ssl/ssl3ecc.c where ephemeral keys are generated from ECC and probably this cause error. After running "openssl s_server ..." with "-no_ecdhe" I was able to establish connection with ECC ciphers. >Another point I'm puzzled is that the openssl ciphersuites shown only >ciphers with SSLv3 protocol when I execute openssl cipher -v ECCdraft. >But I thought openssl 0.9.8b already provide support for TLSv1 too, so >why don't I see any ciphers with TLSv1 protocol? Or have I >misunderstood the readme file in 0.9.8b? This is only name problem, SSL3 and TLS1 are very close so sometimes some names/variables are used interchangeably. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __________________________________ What is the internet to you? Contribute to the Yahoo! Time Capsule and be a part of internet history. http://timecapsule.yahoo.com/capsule.php?intl=sg ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
