[openssl-users] Problem with using EC private keys

Wed, 01 Nov 2017 10:16:46 -0700 

Hi,

I am confused about the two different ways I can generate an EC private key and 
why this is causing me problems with the test s_client s_server applications


So, I am using the command below to generate a private key, then using this to 
create
a certificate to work with openssl s_client s_server.

    openssl ecparam -name secp384r1 -genkey -out privkey.pem (1)

I then create the .csr with the following two commands,

    openssl req -key privkey.pem -out pub.csr -new (2)
    openssl x509 -req -in pub.csr -signkey privkey.pem -out pub.crt (3)

This works with s_server/s_client.

But, when I generate a key like this:

    openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:secp384r1 -out 
privkey.pem (4)


If I now create a signed .crt with (2) and (3) above, then use this pair with 
openssl s_server
it does not negotiate a cipher suite and it doesn't work.

Client:
CONNECTED(00000154)
2546392219:error:14004410:SSL routines:CONNECT_CR_SRVR_HELLO:sslv3 alert 
handshake failure:ssl_pkt.c:1205:SSL alert number 40
2546392219:error:140040E5:SSL routines:CONNECT_CR_SRVR_HELLO:ssl handshake 
failure:ssl_pkt.c:585:
...

Server:
...
ERROR
2867046282:error:140270C1:SSL routines:ACCEPT_SR_CLNT_HELLO_C:no shared 
cipher:ssl_srvr.c:1024:
shutting down SSL
CONNECTION CLOSED

Using this url 
(https://wiki.openssl.org/index.php/Command_Line_Elliptic_Curve_Operations) It 
turns out, if I take the key generated by (4) above, and convert it to pk8 with

    openssl pkcs8 -topk8 -nocrypt -in privkey_ec.pem -out privkey.pem

If I now use this key to create the .crt and use this key pair with openssl 
s_server it works.
My question is why does the format of the private key make any difference. 
Surely openssl can decode the key in any supported format, after all it created 
it, and all
the required information must be in it, as it is able to convert to pk8 format 
that works.


Note:

I am running openssl server/client like this..

openssl.exe s_server -tls1_2 -key privkey.pem -cert pub.crt -debug

and

openssl.exe s_client -tls1_2

Thanks!


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to