Hi Steve, here's the cert:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 34474 (0x86aa)
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=eRoot1, OU=Engineering, O=Juniper Networks, Inc.,
L=Westford, ST=MA, C=US
Validity
Not Before: Aug 1 19:04:20 2012 GMT
Not After : Jul 30 19:04:20 2022 GMT
Subject: CN=eServer1, OU=Engineering, O=Juniper Networks, Inc.,
L=Westford, ST=MA, C=US
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:e9:7e:4c:b3:44:eb:21:a4:15:9d:9a:2e:5e:e3:
3c:09:19:22:36:cf:01:ee:dc:b8:67:1b:78:30:e0:
dd:4c:7f:95:38:24:f1:0c:7d:1c:2b:ab:b8:67:b7:
ef:42:9c:b6:df:fd:49:fb:1a:85:57:c1:e4:5a:e4:
b6:7c:4b:40:3b
Field Type: prime-field
Prime:
00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:ff
A:
00:ff:ff:ff:ff:00:00:00:01:00:00:00:00:00:00:
00:00:00:00:00:00:ff:ff:ff:ff:ff:ff:ff:ff:ff:
ff:ff:fc
B:
5a:c6:35:d8:aa:3a:93:e7:b3:eb:bd:55:76:98:86:
bc:65:1d:06:b0:cc:53:b0:f6:3b:ce:3c:3e:27:d2:
60:4b
Generator (uncompressed):
04:6b:17:d1:f2:e1:2c:42:47:f8:bc:e6:e5:63:a4:
40:f2:77:03:7d:81:2d:eb:33:a0:f4:a1:39:45:d8:
98:c2:96:4f:e3:42:e2:fe:1a:7f:9b:8e:e7:eb:4a:
7c:0f:9e:16:2b:ce:33:57:6b:31:5e:ce:cb:b6:40:
68:37:bf:51:f5
Order:
00:ff:ff:ff:ff:00:00:00:00:ff:ff:ff:ff:ff:ff:
ff:ff:bc:e6:fa:ad:a7:17:9e:84:f3:b9:ca:c2:fc:
63:25:51
Cofactor: 1 (0x1)
Seed:
c4:9d:36:08:86:e7:04:93:6a:66:78:e1:13:9d:26:
b7:81:9f:7e:90
X509v3 extensions:
X509v3 Subject Key Identifier:
E5:15:BA:0A:AB:56:A3:4C:47:4E:54:6D:21:93:0E:98:3B:CB:E9:3B
X509v3 Subject Alternative Name:
DNS:eserver1.juniper.net
X509v3 Authority Key Identifier:
keyid:F8:87:1E:2B:4D:8D:F1:96:B9:9A:D8:BA:15:D0:75:FF:F4:1A:A4:9C
DirName:/CN=eRoot1/OU=Engineering/O=Juniper Networks,
Inc./L=Westford/ST=MA/C=US
serial:D3:27
X509v3 Key Usage:
Digital Signature
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 CRL Distribution Points:
Full Name:
URI:http://localhost/pkitool/eroot1/eroot1.crl
Signature Algorithm: ecdsa-with-SHA256
30:45:02:21:00:d2:30:0d:5f:5c:61:45:ef:23:a5:ae:04:3a:
ca:50:d0:a0:54:ca:ce:93:1c:b7:8a:04:19:b3:9f:ed:b4:1b:
f0:02:20:33:7b:55:bd:b8:df:ca:e5:42:db:49:e3:23:8a:f9:
5d:6b:09:d2:b1:13:c8:60:46:0b:99:57:80:4d:ef:19:42
-----BEGIN CERTIFICATE-----
MIIEGjCCA8CgAwIBAgIDAIaqMAoGCCqGSM49BAMCMHUxDzANBgNVBAMTBmVSb290
MTEUMBIGA1UECxMLRW5naW5lZXJpbmcxHzAdBgNVBAoTFkp1bmlwZXIgTmV0d29y
a3MsIEluYy4xETAPBgNVBAcTCFdlc3Rmb3JkMQswCQYDVQQIEwJNQTELMAkGA1UE
BhMCVVMwHhcNMTIwODAxMTkwNDIwWhcNMjIwNzMwMTkwNDIwWjB3MREwDwYDVQQD
EwhlU2VydmVyMTEUMBIGA1UECxMLRW5naW5lZXJpbmcxHzAdBgNVBAoTFkp1bmlw
ZXIgTmV0d29ya3MsIEluYy4xETAPBgNVBAcTCFdlc3Rmb3JkMQswCQYDVQQIEwJN
QTELMAkGA1UEBhMCVVMwggFLMIIBAwYHKoZIzj0CATCB9wIBATAsBgcqhkjOPQEB
AiEA/////wAAAAEAAAAAAAAAAAAAAAD///////////////8wWwQg/////wAAAAEA
AAAAAAAAAAAAAAD///////////////wEIFrGNdiqOpPns+u9VXaYhrxlHQawzFOw
9jvOPD4n0mBLAxUAxJ02CIbnBJNqZnjhE50mt4GffpAEQQRrF9Hy4SxCR/i85uVj
pEDydwN9gS3rM6D0oTlF2JjClk/jQuL+Gn+bjufrSnwPnhYrzjNXazFezsu2QGg3
v1H1AiEA/////wAAAAD//////////7zm+q2nF56E87nKwvxjJVECAQEDQgAE6X5M
s0TrIaQVnZouXuM8CRkiNs8B7ty4Zxt4MODdTH+VOCTxDH0cK6u4Z7fvQpy23/1J
+xqFV8HkWuS2fEtAO6OCAUcwggFDMB0GA1UdDgQWBBTlFboKq1ajTEdOVG0hkw6Y
O8vpOzAfBgNVHREEGDAWghRlc2VydmVyMS5qdW5pcGVyLm5ldDCBoQYDVR0jBIGZ
MIGWgBT4hx4rTY3xlrma2LoV0HX/9BqknKF5pHcwdTEPMA0GA1UEAxMGZVJvb3Qx
MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEfMB0GA1UEChMWSnVuaXBlciBOZXR3b3Jr
cywgSW5jLjERMA8GA1UEBxMIV2VzdGZvcmQxCzAJBgNVBAgTAk1BMQswCQYDVQQG
EwJVU4IDANMnMAsGA1UdDwQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATA7BgNV
HR8ENDAyMDCgLqAshipodHRwOi8vbG9jYWxob3N0L3BraXRvb2wvZXJvb3QxL2Vy
b290MS5jcmwwCgYIKoZIzj0EAwIDSAAwRQIhANIwDV9cYUXvI6WuBDrKUNCgVMrO
kxy3igQZs5/ttBvwAiAze1W9uN/K5ULbSeMjivldawnSsRPIYEYLmVeATe8ZQg==
-----END CERTIFICATE-----
....................................
Erik Tkal
Juniper OAC/UAC/Pulse Development
-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Dr. Stephen Henson
Sent: Friday, August 03, 2012 5:57 PM
To: openssl-users@openssl.org
Subject: Re: ECDSA testing with s_client/s_server
On Fri, Aug 03, 2012, Erik Tkal wrote:
> I debugged this to see what is happening, and it seems that the server is
> looking at the configured certificate and key and deciding that the client
> needs to be sending 0xFF01 (it is finding NID_X9_62_prime_field as the field
> type). However, the client is sending the full list of standard named curves.
>
> I create the key using NID_X9_62_prime256v1 as follows (abbreviated):
>
What does the server certificate look like? Does it have a keyUsage extension
and if so what is it set to?
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
