On 20 December 2013 00:24, Matt Caswell <[email protected]> wrote: > On 19 December 2013 23:47, Porter, Andrew <[email protected]> wrote: >> So, additional data now. This works: >> >> ./openssl s_client -debug -cipher 'ECDHE-RSA-AES256-SHA' -curves >> 'secp521r1:secp384r1:prime256v1:sect571r1' -connect tomcat-host:443 >> >> But use the same curves in a different order, with sect571r1 first the way >> it is in the list that OpenSSL 1.0.1e sends: >> >> ./openssl s_client -debug -cipher 'ECDHE-RSA-AES256-SHA' -curves >> 'sect571r1:secp521r1:secp384r1:prime256v1' -connect tomcat-host:443 >> >> That fails with the pkcs11 error. > > Maybe just a co-incidence, but the sect571r1 curve is the only binary > curve in your list- the others are all prime curves. Maybe it doesn't > like binary curves? > > Matt
Just realised that in your original post you said you were using the fips build of openssl. This could be a manifestation of this bug: https://rt.openssl.org/Ticket/Display.html?id=3022 (username guest, password guest) Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
