On Fri, Nov 14, 2014, Fredrik Jansson wrote:
> Hi!
>
> I am trying to force my TLS 1.2 connection into Suite B mode, but at
> handshake I get an error "no shared cipher".
>
> The server code is basically:
>
> SSL_CTX_new(TLSv1_2_server_method());
> //ECDSA cert is added to the ctx
> SSL_CTX_use_certificate(ctx_, serverCert.cert.get())
> SSL_CTX_use_PrivateKey(ctx_, serverCert.privateKey.get())
> SSL_CTX_set_cipher_list(ctx, "SUITEB128");
> SSL_CTX_set_options(ctx_, SSL_OP_NO_TICKET);
> SSL_CTX_set_session_cache_mode(ctx_, SSL_SESS_CACHE_BOTH);
>
> The client code is very similar.
>
> If I comment out the SSL_CTX_set_cipher_list call, it works and the
> session is established with ECDH-ECDSA-AES256-GCM-SHA384.
>
> I suspect I need to provide the server with ephemeral ECDH keys, but I
> cannot figure out how to do that.
>
> Does anyone have a working example to share?
>
Firstly you have to use OpenSSL 1.0.2 or this wont work.
With 1.0.2 you just need to set the server to use automatic ECDH parameters
with:
SSL_CTX_set_ecdh_auto(ctx, 1);
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
