It appears that the current version of OpenSSL (1.0.1e) disregards the "no-ec2m" build option (OPENSSL_NO_EC2M) when populating the contents of the Supported Elliptic Curves Client Hello extension. In other words, the TLS client code always generates the same 25-element elliptic curve list, regardless of whether OPENSSL_NO_EC2M is defined. This may result in a situation where the client fails to find the named curve selected by the server from the client list.
In my experiment, I pointed OpenSSL s_client to a JavaSE7-based server. In the Client Hello I can see the 25-element list of elliptic curves - it begins with sect571r1 (0x000e). Then, in the Server Key Exchange message the server indicates that it picked the first named curve offered by the client (0x000e). However, because sect571r1 is a "characteristic-2 field" curve - and therefore is compiled out thanks to OPENSSL_NO_EC2M - the client fails in EC_GROUP_new_by_curve_name() and the handshake falls through. -- Best regards, Dmitriy Khodos
