On Thu, Nov 01, 2012, Abhiram Shandilya wrote: > I ran openssl s_server with an ECC certificate signed by an RSA Root CA. When > I try to connect using s_client and a TLS 1.2 ECDH-RSA cipher suite (eg > ECDH-RSA-AES128-SHA256 or ECDH-RSA-AES128-GCM-SHA256), the connection fails > with s_server printing the following error: "3086918464:error:1408A0C1:SSL > routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1353:". Can someone > please tell me why this doesn't work? Here are the commands I used: > > Starting s_server: > openssl s_server -accept 4433 -key ./key.pem -cert cert.pem > > Connecting with s_client: > openssl s_client -connect localhost:4433 -cipher ECDH-RSA-AES128-SHA256 >
You probably don't want ECDH-RSA-AES128-SHA256 as it is a fixed ECDH ciphersuite (if you do you need to use an appropriate curve in the EE certificate and include key agreement in the key usage extension, if present). You should try ECDHE-ECDSA-AES128-SHA256 which uses ephemeral ECDH. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
