Thanks Viktor, I hadn't properly understood the relationship between the certificate and the cipher, so I'll look at that now. I think I'm also confusing the OpenVPN & OpenSSL relationship. OpenVPN does appear to be using TLS according to the logs, so I had tried to specify tls-cipher ECDHE-ECDSA-AES256-SHA in CLIENT.OVPN and SERVER.OVPN config files, but got the same error. Thanks for your help, you've given new ideas to research. On Fri, May 13, 2011 at 06:36:34PM +0100, Mike Bell wrote:
> I had originally put > cipher AES-128-CBC > in SERVER.OVPN & CLIENT.OVPN, not OPENSSL.CNF files (it's been a long week!) I am not familiar with your VPN product, so you'll have to figure out what configuration options are applicable. If the product uses SSL cipher suites, then a cipher name is almost always a "cipherlist", whose syntax is described in the ciphers(1) manpage. If on the other hand, as the protocol in question is not TLS, cipher specification uses a different syntax, then you need to figure out how to configure a cipher that is compatible with ECDSA certificates. Do not confuse a block algorithm e.g. (AES-128-CBC) with a cipher-suite, which specifies also the authentication and message digest algorithms. Generally, OpenSSL ciphersuites are defined for TLS. It is not clear how these translate to your VPN device. -- Viktor. From: Victor Duchovni <victor.ducho...@morganstanley.com> To: "openssl-users@openssl.org" <openssl-users@openssl.org> Sent: Friday, 13 May 2011, 17:56 Subject: Re: No shared cipher error using ECDSA On Fri, May 13, 2011 at 05:41:52PM +0100, Mike Bell wrote: > However I keep getting a "no shared cipher" error. > > In my client & server openssl.cnf files I've specified > cipher AES-128-CBC This is not an EC cipher, and if you configure an EC cert, but specify a cipher that is one of the ones reported by "openssl ciphers -v aECDSA", you get "no shared cipher" errors. ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1 ECDHE-ECDSA-NULL-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1 Don't explicitly specify the cipher, just the certificates are sufficient, or specify a cipher "class" !eNULL:!SSLv2:aECDSA:@STRENGTH which eliminates the NULL cipher: $ openssl ciphers -v '!eNULL:!SSLv2:aECDSA:@STRENGTH' ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1 ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1 ECDHE-ECDSA-AES128-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1 ECDHE-ECDSA-RC4-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1 -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
