> From: owner-openssl-us...@openssl.org On Behalf Of Erik Tkal > Sent: Wednesday, 01 August, 2012 16:33
> I'm playing around to see if I can observe client and server > under various conditions when negotiating TLS 1.2 with newer > certs. I created a root and server cert as ecdsa-with-SHA256. > > openssl s_server -CAfile eroot1.pem -cert eserver1.pem -key > eserver1.key -debug > > openssl s_client -CAfile eroot1.pem -debug > Aside: s_server doesn't need CAfile if you don't do client-auth. > However, the server issues a handshake alert and says no > shared cipher. I see the client is sending a large set of > suites but apparently none that the server wants. How do I > do this properly? <snip> Only thing I can see that would fail silently is if your key doesn't use a named curve. In general OpenSSL server will skip ECC suites if the (certified) key is in a format not offered by the client in SupportedFormats, but s_client (at least) offers all defined formats; or using a curve not offered by the client in SupportedCurves, and s_client offers all named curves but not ad-hoc ones. Also it will skip EECDH suites if your temp ECDH key uses a curve not offered by the client, but s_server always does temp named curves (NIST/X962 P256 by default). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org