On 19 December 2013 23:47, Porter, Andrew <[email protected]> wrote:
> So, additional data now. This works:
>
> ./openssl s_client -debug -cipher 'ECDHE-RSA-AES256-SHA' -curves 
> 'secp521r1:secp384r1:prime256v1:sect571r1' -connect tomcat-host:443
>
> But use the same curves in a different order, with sect571r1 first the way it 
> is in the list that OpenSSL 1.0.1e sends:
>
> ./openssl s_client -debug -cipher 'ECDHE-RSA-AES256-SHA' -curves 
> 'sect571r1:secp521r1:secp384r1:prime256v1' -connect tomcat-host:443
>
> That fails with the pkcs11 error.

Maybe just a co-incidence, but the sect571r1 curve is the only binary
curve in your list- the others are all prime curves. Maybe it doesn't
like binary curves?

Matt
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to