On Tue, Jul 10, 2012, Wim Lewis wrote: > > (I think this is more appropriate for openssl-users than -dev, so I'm > responding to that list.) > > On 10 Jul 2012, at 8:59 AM, Sirshendu Rakshit wrote: > > My questions are: > > 1) Is this a good way to know the EC_KEY using the curve-name Or there is > > some better way to know it? > > If you're hardcoding a specific curve, you could presumably use the > NID_secp224r1 (or SN_secp224r1, or OBJ_secp224r1) constants defined in the > openssl headers. > > > > 2) When I tried "prime256v1" curve-name with the same RSA cipher it didn't > > work and I got handshake failure. Is there any relationship between ECDH* > > cipher used and the curve? > > I don't think so, but it's possible that the client simply didn't support > that curve? As I understand it, the client sends a list of curves it can > accept in an optional ClientHello extension (rfc4492), and the server chooses > a curve from among those and tells the client which one it chose. (Or, > perhaps, it only negotiates the use of the ECDHE cipher suite if its chosen > ephemeral key is based on a curve supported by the client.) The server can > choose any curve that is acceptable to both it and the client; presumably the > curve also needs to be large enough for DH exchange to generate a good > session key. >
Note that the EC temporary parameter support is rather limited in released versions of OpenSSL: you have to pick a fixed temporary key and hope the client supports it. P-256 (prime256v1) will usually work though. The current CVS HEAD has rather better suppport. You can set it to auto select a curve based on configured client and server curves. Also if you try connecting that client using CVS HEAD to s_server it should tell you which curves it says it supports. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
