On 19 December 2013 23:47, Porter, Andrew <[email protected]> wrote: > So, additional data now. This works: > > ./openssl s_client -debug -cipher 'ECDHE-RSA-AES256-SHA' -curves > 'secp521r1:secp384r1:prime256v1:sect571r1' -connect tomcat-host:443 > > But use the same curves in a different order, with sect571r1 first the way it > is in the list that OpenSSL 1.0.1e sends: > > ./openssl s_client -debug -cipher 'ECDHE-RSA-AES256-SHA' -curves > 'sect571r1:secp521r1:secp384r1:prime256v1' -connect tomcat-host:443 > > That fails with the pkcs11 error.
Maybe just a co-incidence, but the sect571r1 curve is the only binary curve in your list- the others are all prime curves. Maybe it doesn't like binary curves? Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
