I debugged this to see what is happening, and it seems that the server is
looking at the configured certificate and key and deciding that the client
needs to be sending 0xFF01 (it is finding NID_X9_62_prime_field as the field
type). However, the client is sending the full list of standard named curves.
I create the key using NID_X9_62_prime256v1 as follows (abbreviated):
EVP_PKEY* key = NULL;
EC_KEY* eck = NULL;
BIGNUM* e = NULL;
EC_GROUP* ecgroup = NULL;
eck = EC_KEY_new();
if ( !eck )
goto err;
ecgroup = EC_GROUP_new_by_curve_name(NID_X9_62_prime256v1);
if ( !ecgroup )
goto err;
if ( !EC_KEY_set_group(eck, ecgroup) )
goto err;
if( !EC_KEY_generate_key( eck ) )
goto err;
if( !EVP_PKEY_assign_EC_KEY( key, eck ) )
goto err;
EC_GROUP_free(ecgroup);
Is there something I am doing incorrectly to generate the EC key?
....................................
Erik Tkal
Juniper OAC/UAC/Pulse Development
-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Erik Tkal
Sent: Wednesday, August 01, 2012 4:33 PM
To: openssl-users@openssl.org
Subject: ECDSA testing with s_client/s_server
I'm playing around to see if I can observe client and server under various
conditions when negotiating TLS 1.2 with newer certs. I created a root and
server cert as ecdsa-with-SHA256.
openssl s_server -CAfile eroot1.pem -cert eserver1.pem -key eserver1.key -debug
openssl s_client -CAfile eroot1.pem -debug
However, the server issues a handshake alert and says no shared cipher. I see
the client is sending a large set of suites but apparently none that the server
wants. How do I do this properly?
ACCEPT
read from 0x147cb28 [0x1489e60] (11 bytes => 11 (0xB))
0000 - 16 03 01 01 3c 01 00 01-38 03 03 ....<...8..
read from 0x147cb28 [0x1489e6e] (310 bytes => 310 (0x136))
0000 - 50 19 91 ea 00 45 14 d9-c4 bc 4d 15 a1 e5 0a a3 P....E....M.....
0010 - f4 89 1d a5 98 37 2d 28-14 a2 19 47 b4 92 e8 dd .....7-(...G....
0020 - 00 00 a0 c0 30 c0 2c c0-28 c0 24 c0 14 c0 0a c0 ....0.,.(.$.....
0030 - 22 c0 21 00 a3 00 9f 00-6b 00 6a 00 39 00 38 00 ".!.....k.j.9.8.
0040 - 88 00 87 c0 32 c0 2e c0-2a c0 26 c0 0f c0 05 00 ....2...*.&.....
0050 - 9d 00 3d 00 35 00 84 c0-12 c0 08 c0 1c c0 1b 00 ..=.5...........
0060 - 16 00 13 c0 0d c0 03 00-0a c0 2f c0 2b c0 27 c0 ........../.+.'.
0070 - 23 c0 13 c0 09 c0 1f c0-1e 00 a2 00 9e 00 67 00 #.............g.
0080 - 40 00 33 00 32 00 9a 00-99 00 45 00 44 c0 31 c0 @.3.2.....E.D.1.
0090 - 2d c0 29 c0 25 c0 0e c0-04 00 9c 00 3c 00 2f 00 -.).%.......<./.
00a0 - 96 00 41 00 07 c0 11 c0-07 c0 0c c0 02 00 05 00 ..A.............
00b0 - 04 00 15 00 12 00 09 00-14 00 11 00 08 00 06 00 ................
00c0 - 03 00 ff 01 00 00 6f 00-0b 00 04 03 00 01 02 00 ......o.........
00d0 - 0a 00 34 00 32 00 0e 00-0d 00 19 00 0b 00 0c 00 ..4.2...........
00e0 - 18 00 09 00 0a 00 16 00-17 00 08 00 06 00 07 00 ................
00f0 - 14 00 15 00 04 00 05 00-12 00 13 00 01 00 02 00 ................
0100 - 03 00 0f 00 10 00 11 00-23 00 00 00 0d 00 22 00 ........#.....".
0110 - 20 06 01 06 02 06 03 05-01 05 02 05 03 04 01 04 ...............
0120 - 02 04 03 03 01 03 02 03-03 02 01 02 02 02 03 01 ................
0130 - 01 00 0f 00 01 01 ......
write to 0x147cb28 [0x1493870] (7 bytes => 7 (0x7))
0000 - 15 03 03 00 02 02 28 ......(
ERROR
5368:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:.\ssl\s3_srvr.c:1353:
shutting down SSL
CONNECTION CLOSED
....................................
Erik Tkal
Juniper OAC/UAC/Pulse Development
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
