Tried to use openssl-SNAP-20070221 with ECDHE and an RSA certificate
and ran into internal errors, until I applied the following (lightly
considered) patch:
--- ssl/ssl_lib.c 2007-02-19 12:01:04.000000000 -0500
+++ ssl/ssl_lib.c 2007-02-22 03:07:27.000000000 -0500
@@ -1946,7 +1946,7 @@
alg_k = s->s3->tmp.new_cipher->algorithm_mkey;
alg_a = s->s3->tmp.new_cipher->algorithm_auth;
- if (alg_k & (SSL_kEECDH|SSL_kECDHr|SSL_kECDHe))
+ if (alg_k & (SSL_kECDHr|SSL_kECDHe))
{
/* we don't need to look at SSL_kEECDH
* since no certificate is needed for
The original code insists on certificates with EC public keys even for
EECDH, while the comment seems to suggest (and I think it is correct)
that kEECDH should get the public key type from "alg_a" not, as with
ECDHr and ECDHe, from "alg_k". Without the patch EECDH-RSA handshakes
fail, with the patch they work. No warranty, the patch may have broken
something else...
Before:
postfix/smtpd[22091]: warning: TLS library problem: 22091:error:1409A044:SSL
routines:SSL3_SEND_SERVER_CERTIFICATE:internal error:s3_srvr.c:2703:
After:
postfix/smtpd[23768]: TLS connection established from localhost[127.0.0.1]:
TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)
Are there other known problem configurations?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
