Re: TLS 1.2 with Suite B

Mon, 17 Nov 2014 02:07:49 -0800 

Some more info,

SSL_get_ciphers on the server and client:
Info    2014-Nov-17 10:48:26.961112     All.TLSVerbose
ECDHE-ECDSA-AES128-GCM-SHA256
Info    2014-Nov-17 10:48:26.961114     All.TLSVerbose
ECDHE-ECDSA-AES256-GCM-SHA384

When I do the same on the client, both of the ciphers above are listed
(among with several others).

Fredrik


On Mon, Nov 17, 2014 at 9:54 AM, Fredrik Jansson
<fredrik.jansson...@gmail.com> wrote:
> Hi Steve!
>
> I remade the certs as below, but I still get the same error, i.e.
> 1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher.
>
> Anything else I can try?
>
> Warm regards,
> Fredrik
>
> openssl x509 -noout -text -in ca-cert.pem
>
> Certificate:
>
>     Data:
>
>         Version: 3 (0x2)
>
>         Serial Number: 10878001055568957254 (0x96f66c536f830f46)
>
>     Signature Algorithm: ecdsa-with-SHA384
>
>         Issuer: C=SE, ST=Stockholm, O=AB, CN=ECDSA CA
>
>         Validity
>
>             Not Before: Nov 17 08:11:52 2014 GMT
>
>             Not After : Nov 14 08:11:52 2024 GMT
>
>         Subject: C=SE, ST=Stockholm, O=AB, CN=ECDSA CA
>
>         Subject Public Key Info:
>
>             Public Key Algorithm: id-ecPublicKey
>
>                 Public-Key: (384 bit)
>
>                 pub:
>
>                     04:45:e8:b4:d4:3f:89:75:e5:02:0a:65:bf:52:ed:
>
>                     3b:90:62:df:01:a6:9d:b9:71:28:71:a9:86:5a:1a:
>
>                     23:7d:95:d8:58:23:44:ab:81:85:48:6a:4b:36:e4:
>
>                     ff:33:a4:14:59:fc:21:11:86:ac:d5:83:2d:52:69:
>
>                     d5:17:50:90:6f:4c:85:a7:4f:79:da:87:01:50:e3:
>
>                     99:56:2c:a3:c8:df:fa:92:56:4b:3c:22:28:a5:97:
>
>                     2c:81:5c:aa:15:eb:3c
>
>                 ASN1 OID: secp384r1
>
>         X509v3 extensions:
>
>             X509v3 Subject Key Identifier:
>
>                 79:22:2D:48:2F:87:81:39:C3:15:AE:F2:6F:EA:DE:11:35:CD:A3:E4
>
>             X509v3 Authority Key Identifier:
>
>
> keyid:79:22:2D:48:2F:87:81:39:C3:15:AE:F2:6F:EA:DE:11:35:CD:A3:E4
>
>
>             X509v3 Basic Constraints:
>
>                 CA:TRUE
>
>     Signature Algorithm: ecdsa-with-SHA384
>
>          30:64:02:30:01:4c:6e:fb:9f:00:0c:cd:f8:43:0b:b5:af:e9:
>
>          0c:d0:fe:df:81:e4:bc:75:7a:82:0a:c7:5d:45:0d:66:ad:01:
>
>          42:98:ed:8f:bb:8c:e0:42:32:d0:d7:00:2f:07:31:b6:02:30:
>
>          02:01:72:f4:c6:bc:2c:22:f9:a9:db:78:46:f1:08:75:63:4d:
>
>          45:9c:ea:68:fd:40:5b:ac:0f:1c:be:e1:c4:e5:81:a2:ea:97:
>
>          48:6c:5b:2f:7b:63:4b:8a:78:c8:6a:af
>
> openssl x509 -noout -text -in server-cert.pem
>
> Certificate:
>
>     Data:
>
>         Version: 1 (0x0)
>
>         Serial Number: 1 (0x1)
>
>     Signature Algorithm: ecdsa-with-SHA384
>
>         Issuer: C=SE, ST=Stockholm, O=AB, CN=ECDSA CA
>
>         Validity
>
>             Not Before: Nov 17 08:15:27 2014 GMT
>
>             Not After : Nov 16 08:15:27 2019 GMT
>
>         Subject: C=SE, ST=Stockholm, O=AB, CN=server.test.com
>
>         Subject Public Key Info:
>
>             Public Key Algorithm: id-ecPublicKey
>
>                 Public-Key: (384 bit)
>
>                 pub:
>
>                     04:b2:1b:ed:7a:70:18:3a:6b:5c:84:d7:2f:1b:f8:
>
>                     89:c8:8f:72:5a:80:bd:f2:7e:50:a4:80:37:b6:34:
>
>                     d0:54:88:24:dc:a4:a3:58:76:a8:0b:af:ce:cb:1e:
>
>                     bf:cf:33:aa:d0:50:7e:87:f9:77:f3:b9:0e:03:5f:
>
>                     83:64:e9:b9:8e:d4:4d:08:76:e5:57:77:a2:8d:d1:
>
>                     01:0c:53:fa:25:d7:bc:2e:a3:0e:6a:4c:2c:2f:0b:
>
>                     85:ef:d3:2a:ab:e6:de
>
>                 ASN1 OID: secp384r1
>
>     Signature Algorithm: ecdsa-with-SHA384
>
>          30:65:02:30:3b:8d:a0:82:21:35:59:2d:38:7f:d0:77:58:d0:
>
>          e9:8c:2a:f6:11:c0:f9:44:b9:64:36:8a:b5:f5:84:db:40:0a:
>
>          ab:95:51:c5:11:8b:c6:d4:89:fd:ae:77:2a:ba:a2:95:02:31:
>
>          00:ba:f5:9c:4f:f6:4a:37:77:ba:91:4b:34:4f:94:92:b1:a3:
>
>          da:5f:43:13:61:d0:02:bc:27:65:47:ac:ba:4e:79:13:84:cd:
>
>          eb:c6:5e:a3:94:e9:fa:48:48:e9:78:f9:d3
>
> On Fri, Nov 14, 2014 at 11:32 PM, Dr. Stephen Henson <st...@openssl.org> 
> wrote:
>> On Fri, Nov 14, 2014, Fredrik Jansson wrote:
>>
>>> Hi Steve, thanks for helping out!
>>>
>>> The server cert is P-256 and the CA is P-384, please see below. Is that ok?
>>>
>>
>>
>> That is but this isn't:
>>
>>>
>>>     Signature Algorithm: ecdsa-with-SHA1
>>>
>>
>> The signing digest needs to match the curve. So if you sign with P-384 you
>> need SHA384 and for P-256 SHA256.
>>
>> Steve.
>> --
>> Dr Stephen N. Henson. OpenSSL project core developer.
>> Commercial tech support now available see: http://www.openssl.org
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    openssl-users@openssl.org
>> Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to