Hi Steve!
I remade the certs as below, but I still get the same error, i.e.
1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher.
Anything else I can try?
Warm regards,
Fredrik
openssl x509 -noout -text -in ca-cert.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 10878001055568957254 (0x96f66c536f830f46)
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=SE, ST=Stockholm, O=AB, CN=ECDSA CA
Validity
Not Before: Nov 17 08:11:52 2014 GMT
Not After : Nov 14 08:11:52 2024 GMT
Subject: C=SE, ST=Stockholm, O=AB, CN=ECDSA CA
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:45:e8:b4:d4:3f:89:75:e5:02:0a:65:bf:52:ed:
3b:90:62:df:01:a6:9d:b9:71:28:71:a9:86:5a:1a:
23:7d:95:d8:58:23:44:ab:81:85:48:6a:4b:36:e4:
ff:33:a4:14:59:fc:21:11:86:ac:d5:83:2d:52:69:
d5:17:50:90:6f:4c:85:a7:4f:79:da:87:01:50:e3:
99:56:2c:a3:c8:df:fa:92:56:4b:3c:22:28:a5:97:
2c:81:5c:aa:15:eb:3c
ASN1 OID: secp384r1
X509v3 extensions:
X509v3 Subject Key Identifier:
79:22:2D:48:2F:87:81:39:C3:15:AE:F2:6F:EA:DE:11:35:CD:A3:E4
X509v3 Authority Key Identifier:
keyid:79:22:2D:48:2F:87:81:39:C3:15:AE:F2:6F:EA:DE:11:35:CD:A3:E4
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: ecdsa-with-SHA384
30:64:02:30:01:4c:6e:fb:9f:00:0c:cd:f8:43:0b:b5:af:e9:
0c:d0:fe:df:81:e4:bc:75:7a:82:0a:c7:5d:45:0d:66:ad:01:
42:98:ed:8f:bb:8c:e0:42:32:d0:d7:00:2f:07:31:b6:02:30:
02:01:72:f4:c6:bc:2c:22:f9:a9:db:78:46:f1:08:75:63:4d:
45:9c:ea:68:fd:40:5b:ac:0f:1c:be:e1:c4:e5:81:a2:ea:97:
48:6c:5b:2f:7b:63:4b:8a:78:c8:6a:af
openssl x509 -noout -text -in server-cert.pem
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1 (0x1)
Signature Algorithm: ecdsa-with-SHA384
Issuer: C=SE, ST=Stockholm, O=AB, CN=ECDSA CA
Validity
Not Before: Nov 17 08:15:27 2014 GMT
Not After : Nov 16 08:15:27 2019 GMT
Subject: C=SE, ST=Stockholm, O=AB, CN=server.test.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:b2:1b:ed:7a:70:18:3a:6b:5c:84:d7:2f:1b:f8:
89:c8:8f:72:5a:80:bd:f2:7e:50:a4:80:37:b6:34:
d0:54:88:24:dc:a4:a3:58:76:a8:0b:af:ce:cb:1e:
bf:cf:33:aa:d0:50:7e:87:f9:77:f3:b9:0e:03:5f:
83:64:e9:b9:8e:d4:4d:08:76:e5:57:77:a2:8d:d1:
01:0c:53:fa:25:d7:bc:2e:a3:0e:6a:4c:2c:2f:0b:
85:ef:d3:2a:ab:e6:de
ASN1 OID: secp384r1
Signature Algorithm: ecdsa-with-SHA384
30:65:02:30:3b:8d:a0:82:21:35:59:2d:38:7f:d0:77:58:d0:
e9:8c:2a:f6:11:c0:f9:44:b9:64:36:8a:b5:f5:84:db:40:0a:
ab:95:51:c5:11:8b:c6:d4:89:fd:ae:77:2a:ba:a2:95:02:31:
00:ba:f5:9c:4f:f6:4a:37:77:ba:91:4b:34:4f:94:92:b1:a3:
da:5f:43:13:61:d0:02:bc:27:65:47:ac:ba:4e:79:13:84:cd:
eb:c6:5e:a3:94:e9:fa:48:48:e9:78:f9:d3
On Fri, Nov 14, 2014 at 11:32 PM, Dr. Stephen Henson <st...@openssl.org> wrote:
> On Fri, Nov 14, 2014, Fredrik Jansson wrote:
>
>> Hi Steve, thanks for helping out!
>>
>> The server cert is P-256 and the CA is P-384, please see below. Is that ok?
>>
>
>
> That is but this isn't:
>
>>
>> Signature Algorithm: ecdsa-with-SHA1
>>
>
> The signing digest needs to match the curve. So if you sign with P-384 you
> need SHA384 and for P-256 SHA256.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
