Re: No shared cipher error using ECDSA

Fri, 13 May 2011 10:39:37 -0700 

Thanks very much for the fast response Victor.
 
I wonder if I've confused things here with a typo. 
 
I had originally put 
    cipher AES-128-CBC
in SERVER.OVPN & CLIENT.OVPN, not OPENSSL.CNF files (it's been a long week!)
 
I've tried removing the cipher statement from the OVPN files but I'm still 
getting the no cipher found error. 
 
Can you explain a little more about using the cipher class method please, I'm 
not sure how to specify that in SERVER.OVPN
 
Taking a step back, is it valid to use an AES cipher suite and an EC DSA 
signature algorithm ? Our security people are insisting on AES and either EC 
DSA, DSA or RSA as the signature algorithm, but with a preference for ECDSA. 
 
Thanks
 

From: Victor Duchovni <victor.ducho...@morganstanley.com>
To: "openssl-users@openssl.org" <openssl-users@openssl.org>
Sent: Friday, 13 May 2011, 17:56
Subject: Re: No shared cipher error using ECDSA

On Fri, May 13, 2011 at 05:41:52PM +0100, Mike Bell wrote:

> However I keep getting a "no shared cipher" error. 
> 
> In my client & server openssl.cnf files I've specified
> cipher AES-128-CBC

This is not an EC cipher, and if you configure an EC cert, but specify
a cipher that is one of the ones reported by "openssl ciphers -v aECDSA",
you get "no shared cipher" errors.

    ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH    Au=ECDSA Enc=AES(256)  Mac=SHA1
    ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH    Au=ECDSA Enc=3DES(168) Mac=SHA1
    ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH    Au=ECDSA Enc=AES(128)  Mac=SHA1
    ECDHE-ECDSA-RC4-SHA    SSLv3 Kx=ECDH    Au=ECDSA Enc=RC4(128)  Mac=SHA1
    ECDHE-ECDSA-NULL-SHA    SSLv3 Kx=ECDH    Au=ECDSA Enc=None      Mac=SHA1

Don't explicitly specify the cipher, just the certificates are sufficient,
or specify a cipher "class"

    !eNULL:!SSLv2:aECDSA:@STRENGTH

which eliminates the NULL cipher:

    $ openssl ciphers -v '!eNULL:!SSLv2:aECDSA:@STRENGTH'
    ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH    Au=ECDSA Enc=AES(256)  Mac=SHA1
    ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH    Au=ECDSA Enc=3DES(168) Mac=SHA1
    ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH    Au=ECDSA Enc=AES(128)  Mac=SHA1
    ECDHE-ECDSA-RC4-SHA    SSLv3 Kx=ECDH    Au=ECDSA Enc=RC4(128)  Mac=SHA1

-- 
    Viktor.
______________________________________________________________________
OpenSSL Project                                http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                          majord...@openssl.org

Reply via email to