On 20 December 2013 00:24, Matt Caswell <[email protected]> wrote:
> On 19 December 2013 23:47, Porter, Andrew <[email protected]> wrote:
>> So, additional data now. This works:
>>
>> ./openssl s_client -debug -cipher 'ECDHE-RSA-AES256-SHA' -curves 
>> 'secp521r1:secp384r1:prime256v1:sect571r1' -connect tomcat-host:443
>>
>> But use the same curves in a different order, with sect571r1 first the way 
>> it is in the list that OpenSSL 1.0.1e sends:
>>
>> ./openssl s_client -debug -cipher 'ECDHE-RSA-AES256-SHA' -curves 
>> 'sect571r1:secp521r1:secp384r1:prime256v1' -connect tomcat-host:443
>>
>> That fails with the pkcs11 error.
>
> Maybe just a co-incidence, but the sect571r1 curve is the only binary
> curve in your list- the others are all prime curves. Maybe it doesn't
> like binary curves?
>
> Matt

Just realised that in your original post you said you were using the
fips build of openssl.

This could be a manifestation of this bug:

https://rt.openssl.org/Ticket/Display.html?id=3022

(username guest, password guest)

Matt
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]

Reply via email to