On Mon, May 16, 2011 at 11:56:41AM +0100, Mike Bell wrote:
> Thanks Viktor,
>
> I hadn't properly understood the relationship between the certificate
> and the cipher, so I'll look at that now. I think I'm also confusing
> the OpenVPN?& OpenSSL relationship.
>
> OpenVPN does appear to be using TLS according to the logs, so I had
> tried to specify
>
> tls-cipher ECDHE-ECDSA-AES256-SHA
>
> in CLIENT.OVPN and SERVER.OVPN config files, but got the same error.
Are you sure that the OpenSSL version used by OpenSSL supports EC
ciphersuites? Generally, you need OpenSSL 1.0.0 for that. Partial support
for EC was available in 0.9.8, and no EC support is present in 0.9.7.
To enable EECDH key-exchange, the server may need to specify a curve,
which OpenVPN may not be doing. I don't believe that the curve
from the certificate is used by default when no curve is specified
explicitly via SSL_CTX_set_tmp_ecdh() and no callback is specified via
SSL_CTX_set_tmp_ecdh_callback().
Thus code not explicitly designed to use ECDSA ciphers may not work
when configured to use only ECDSA. It will only use any non-ECDSA
ciphers allowed.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
