On Mon, May 31, 2021 at 04:42:55PM +0200, Marcin Gryszkalis via Exim-users
wrote:
> openssl s_client -connect 127.0.0.1:465 -tls1_2 -cipher
> ECDHE-ECDSA-AES256-GCM-SHA384
> But - I tried to specify the curve and it failed
>
> openssl s_client -connect 127.0.0.1:465 -tls1_2 -cipher
> ECDHE-ECDSA-AES256-GCM-SHA384 -curves prime256v1
>
> CONNECTED(00000004)
> 34380884168:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake
> failure:/usr/src/crypto/openssl/ssl/s3_pkt.c:1498:SSL alert number 40
> 34380884168:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake
> failure:/usr/src/crypto/openssl/ssl/s3_pkt.c:659:
>
> prime256v1 = secp256r1
>
> I checked on exim built on FreeBSD 12 (with openssl 1.1) and it works fine -
> but fails on other installation with openssl 1.0.
So what version of FreeBSD and OpenSSL are on the system with the
reported issue? Support for negotiated ECDHE groups has evolved in
OpenSSL over time. With older OpenSSL releases unless group selection
is explicitly set to "auto", the server picks some single default group,
which may not match this particular client's choice.
--
Viktor.
--
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/
