RE: cipher list experiments - what's preventing ECDHE?

Thu, 26 Jun 2014 07:06:08 -0700 

Aha.    I see the instrumentation in s_server.c which causes EC to be enabled.  
  We're not doing any of this part yet. 

Thanks very much for the pointer.   

Dave 

+-+-+-+-+-+-+-+-+- 
Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176 
South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office:    508-249-1257, FAX: 508-497-8027, Mobile:   978-500-2546, 
dave.mclel...@emc.com
+-+-+-+-+-+-+-+-+-

-----Original Message-----
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] 
On Behalf Of Dr. Stephen Henson
Sent: Thursday, June 26, 2014 9:29 AM
To: openssl-users@openssl.org
Subject: Re: cipher list experiments - what's preventing ECDHE?

On Thu, Jun 26, 2014, mclellan, dave wrote:

> I'm doing some experimentation with cipher lists using OpenSSL 1.0.1h.     I 
> have two peers using the same libraries, and both enabled with these suites 
> in the call to SSL_set_cipher_list():
> 
> 
> 1.       ECDHE-ECDSA-AES128-GCM-SHA256
> 
> 2.       ECDHE-RSA-AES128-GCM-SHA256
> 
> 3.       DHE-RSA-AES128-GCM-SHA256
> 
> These are shown by the 'openssl ciphers' command using the same libraries.   
> I have specified each of these individually to try out each one independently 
> of the others.
> 
> Neither of the ECDHE ciphers (1 and 2 above) are chosen by my two peers, and 
> the result is 'no shared cipher' when either of these is specified.
> 
> Cipher 3 is chosen successfully, so it seems that the failing component is 
> the elliptic curve modifier of DHE.
> 
> If it's in the supported list, what is preventing ECDHE from being used? What 
> am I missing to use the ECDHE- suites? How can I track down where my mistake 
> is?
> 
> Thanks for whatever guidance is offered.
> 

Are you setting the ECDH parameters in the server? If no ECDH parameters are 
set then all ECDHE ciphersuites are disabled.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to