On 10/11/14 15:48, Koehne Kai wrote:
>> -----Original Message-----
>> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
>> [...]
>>>> I'm trying to debug a handshake failure between clients using the system
>> openssl just released OpenSUSE 13.2 , and a server. The handshake always
>> fails with a somewhat cryptic error message:
>>>>
>>>>
>>>> error:1200AE081:elliptic curve
>>>> routines:EC_GROUP_new_by_curve_name:unknown group.
>> error:1408D010:SSL
>>>> routines:SSL3_GET_KEY_EXCHANGE:EC lib
>> [...]
>>> So if I understand you correctly you are still applying some patches
>>> to OpenSSL? Does this happen with a stock OpenSSL?
>>
>> Sorry, I meant does this happen with standard OpenSSL (i.e. downloaded
>> from the website).
>
> Thanks for replying.
>
> I'm able to reproduce it with a stock openssl 1.0.1j , configured with
>
> ./config threads shared no-rc5 no-idea no-ssl2 no-ec2m
>
>
> I've to admit though that the error appears in a (albeit minimal) Qt
> application ...
>
> openssl s_client -connect server:443
>
> does succeed, so it looks like the way Qt uses openssl is another factor in
> the error :(
I have been able to reproduce this.
Using a standard openssl configured *without* including no-ec2m, start
an s_server:
openssl s_server -named_curve sect239k1
Then, using an openssl configured *with* no-ec2m, connect to the s_server:
openssl s_client -cipher ECDHE-RSA-AES256-SHA
You should see the same error message as you got displayed in the client.
Please can you try the attached patch to see if that solves your problem.
Thanks
Matt
From 90fec44393443f93d6f7fb00662472bb2a8a6c9b Mon Sep 17 00:00:00 2001
From: Matt Caswell <m...@openssl.org>
Date: Mon, 10 Nov 2014 23:42:50 +0000
Subject: [PATCH] Added OPENSSL_NO_EC2M guards around the preferred EC curve
list
---
ssl/t1_lib.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index d6aff4b..8dafc6e 100644
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -204,28 +204,40 @@ static int nid_list[] =
static int pref_list[] =
{
+#ifndef OPENSSL_NO_EC2M
NID_sect571r1, /* sect571r1 (14) */
NID_sect571k1, /* sect571k1 (13) */
+#endif
NID_secp521r1, /* secp521r1 (25) */
+#ifndef OPENSSL_NO_EC2M
NID_sect409k1, /* sect409k1 (11) */
NID_sect409r1, /* sect409r1 (12) */
+#endif
NID_secp384r1, /* secp384r1 (24) */
+#ifndef OPENSSL_NO_EC2M
NID_sect283k1, /* sect283k1 (9) */
NID_sect283r1, /* sect283r1 (10) */
+#endif
NID_secp256k1, /* secp256k1 (22) */
NID_X9_62_prime256v1, /* secp256r1 (23) */
+#ifndef OPENSSL_NO_EC2M
NID_sect239k1, /* sect239k1 (8) */
NID_sect233k1, /* sect233k1 (6) */
NID_sect233r1, /* sect233r1 (7) */
+#endif
NID_secp224k1, /* secp224k1 (20) */
NID_secp224r1, /* secp224r1 (21) */
+#ifndef OPENSSL_NO_EC2M
NID_sect193r1, /* sect193r1 (4) */
NID_sect193r2, /* sect193r2 (5) */
+#endif
NID_secp192k1, /* secp192k1 (18) */
NID_X9_62_prime192v1, /* secp192r1 (19) */
+#ifndef OPENSSL_NO_EC2M
NID_sect163k1, /* sect163k1 (1) */
NID_sect163r1, /* sect163r1 (2) */
NID_sect163r2, /* sect163r2 (3) */
+#endif
NID_secp160k1, /* secp160k1 (15) */
NID_secp160r1, /* secp160r1 (16) */
NID_secp160r2, /* secp160r2 (17) */
--
2.1.0
