Yes, it's only required on the server.
Norm Green
On 5/25/16 14:10, Jeremy Farrell wrote:
Interesting; is this a server-side requirement? I ask because with
1.0.2g my client using "AECDH+AES:ADH+AES" makes a TLS 1.2 connection
with AECDH-AES256-SHA without calling this function or similar.
Regards,
jjf
On 25/05/2016 21:31, Norm Green wrote:
Yes! That was the problem. In order to use cipher "AECDH",
SSL_CTX_set_ecdh_auto(ctx, 1) must be called first.
Thanks Michael!!
Norm
On 5/24/16 15:52, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-boun...@openssl.org] On
Behalf
Of Norm Green
Sent: Tuesday, May 24, 2016 13:40
I've tried both:
SSL_CTX_set_cipher_list("AECDH")
and:
SSL_CTX_set_cipher_list("AECDH-AES256-SHA")
on both the client and server side, both of which result in the
dreaded
"no shared cipher" error:
error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
cipher:s3_srvr.c:1417:
You might run a wire trace to see what suites the client is actually
advertising.
And you are using TLS, right?
For AECDH* (or any ECC suite), don't you have to tell OpenSSL what
curve to use? I haven't implemented that bit myself in any
applications, but my understanding is that with OpenSSL 1.0.2 you
can just call SSL_CTX_set_ecdh_auto(ctx, 1). With 1.0.1 you have to
specify a particular named curve with SSL_CTX_set_tmp_ecdh.
--
J. J. Farrell
Not speaking for Oracle
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
