Re: [openssl-users] ECDHE-ECDSA certificate returning with no shared cipher error
From: openssl-users On Behalf Of Rajeswari K Sent: Monday, February 02, 2015 22:17 Thanks for responding. Following is the output printed by openssl ./openssl req -in csr.csr -noout -text snip Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: ASN1 OID: prime256v1 Yes, that is named form. Then I don't know what the problem is. Generic debugging advice, if you haven't tried these already: Does the problem occur with s_client to your server? Does the problem occur with s_client to s_server using the same certkey, cipherlist (if not default) and same or reasonable tmp-ECDH? Actually, that's a thought. You said your server uses tmp-ECDH callback; does that (always) provide a curve/parameters object that *has* an OID which maps to one of the TLS standard curves in 4492 (and one specified in the client hello but your earlier trace looked like the client specified all). s_server *only* supports named curves (and defaults to p256). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECDHE-ECDSA certificate returning with no shared cipher error
From: openssl-users On Behalf Of Rajeswari K Sent: Sunday, February 01, 2015 21:18 Am facing an issue of no shared cipher error during SSL Handshake, when tried to negotiate ECDHE cipher suite. snip *Feb 2 01:00:47.894: SSL_accept:error in SSLv3 read client hello C *Feb 2 01:00:47.894: 3854049196:error:1408A0C1:SSL routines: SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:1381: Have updated with temporary ECDH callback during SSL Server initialization. ECDSA certificate is being signed using openssl commands. How was the keypair and CSR generated? In particular, check the publickey in the CSR, and thus in the cert, has the curve encoded in named form (as an OID) not explicit form (with all the details of prime or polynomial, equation coefficients, base point, and cofactor). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] ECDHE-ECDSA certificate returning with no shared cipher error
Hello Dave, Thanks for responding. Following is the output printed by openssl ./openssl req -in csr.csr -noout -text Certificate Request: Data: Version: 0 (0x0) Subject: CN=eccert/unstructuredName= Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: ASN1 OID: prime256v1 Attributes: Requested Extensions: X509v3 Key Usage: critical Digital Signature Signature Algorithm: ecdsa-with-SHA256 Please share is there any issue with these parameters? Thanks, Rajeswari. On Tue, Feb 3, 2015 at 8:28 AM, Dave Thompson dthomp...@prinpay.com wrote: From: openssl-users On Behalf Of Rajeswari K Sent: Sunday, February 01, 2015 21:18 Am facing an issue of no shared cipher error during SSL Handshake, when tried to negotiate ECDHE cipher suite. snip *Feb 2 01:00:47.894: SSL_accept:error in SSLv3 read client hello C *Feb 2 01:00:47.894: 3854049196:error:1408A0C1:SSL routines: SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:1381: Have updated with temporary ECDH callback during SSL Server initialization. ECDSA certificate is being signed using openssl commands. How was the keypair and CSR generated? In particular, check the publickey in the CSR, and thus in the cert, has the curve encoded in named form (as an OID) not explicit form (with all the details of prime or polynomial, equation coefficients, base point, and cofactor). ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] ECDHE-ECDSA certificate returning with no shared cipher error
Hello Openssl users, Am facing an issue of no shared cipher error during SSL Handshake, when tried to negotiate ECDHE cipher suite. We are using openssl-1.0.1j version. Can you please share your thoughts? Following are the logs during SSL Handshake. Server has 2 from 0xE29690E0: 0x10B42900:ECDHE-ECDSA-AES256-SHA 0x10B428D0:ECDHE-ECDSA-AES128-SHA Client sent 2 from 0xE442F5B0: 0x10B42900:ECDHE-ECDSA-AES256-SHA 0x10B428D0:ECDHE-ECDSA-AES128-SHA rt=0 rte=0 dht=1 ecdht=1 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0 0:[0080:0040:0089:0005]0x10B42900:ECDHE-ECDSA-AES256-SHA rt=0 rte=0 dht=1 ecdht=1 re=1 ree=1 rs=0 ds=0 dhr=0 dhd=0 0:[0080:0040:0089:0005]0x10B428D0:ECDHE-ECDSA-AES128-SHA *Feb 2 01:00:46.884: SSL_accept:before/accept initialization *Feb 2 01:00:46.884: SSL_accept:would block on read in SSLv3 read client hello B *Feb 2 01:00:47.892: TLS 1.2 Handshake [length 0092], ClientHello *Feb 2 01:00:47.892: 01 00 00 8E 03 03 C3 CB 15 58 20 B9 49 1D 73 C7 *Feb 2 01:00:47.892: F8 C1 4D 31 10 A1 B6 D9 62 9E DF 91 A8 DC 8F 79 *Feb 2 01:00:47.892: 95 79 20 55 AC CF 00 00 06 C0 0A C0 09 00 FF 01 *Feb 2 01:00:47.893: 00 00 5F 00 0B 00 04 03 00 01 02 00 0A 00 34 00 *Feb 2 01:00:47.893: 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 00 *Feb 2 01:00:47.893: 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 *Feb 2 01:00:47.893: 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F 00 *Feb 2 01:00:47.893: 10 00 11 00 0D 00 16 00 14 06 01 06 03 05 01 05 *Feb 2 01:00:47.893: 03 04 01 04 03 03 01 03 03 02 01 02 03 00 0F 00 *Feb 2 01:00:47.893: 01 01 *Feb 2 01:00:47.893: TLS client extension EC point formats (id=11), len=4 *Feb 2 01:00:47.893: 03 00 01 02 *Feb 2 01:00:47.893: TLS client extension elliptic curves (id=10), len=52 *Feb 2 01:00:47.893: 00 32 00 0E 00 0D 00 19 00 0B 00 0C 00 18 00 09 *Feb 2 01:00:47.893: 00 0A 00 16 00 17 00 08 00 06 00 07 00 14 00 15 *Feb 2 01:00:47.893: 00 04 00 05 00 12 00 13 00 01 00 02 00 03 00 0F *Feb 2 01:00:47.893: 00 10 00 11 *Feb 2 01:00:47.893: TLS client extension signature algorithms (id=13), len=22 *Feb 2 01:00:47.893: 00 14 06 01 06 03 05 01 05 03 04 01 04 03 03 01 *Feb 2 01:00:47.893: 03 03 02 01 02 03 *Feb 2 01:00:47.893: TLS client extension heartbeat (id=15), len=1 *Feb 2 01:00:47.893: 01 *Feb 2 01:00:47.894: TLS 1.2 Alert [length 0002], fatal handshake_failure *Feb 2 01:00:47.894: 02 28 *Feb 2 01:00:47.894: Router# *Feb 2 01:00:47.894: SSL3 alert write:fatal:handshake failure *Feb 2 01:00:47.894: SSL_accept:error in SSLv3 read client hello C *Feb 2 01:00:47.894: 3854049196:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher s3_srvr.c:1381: Have updated with temporary ECDH callback during SSL Server initialization. ECDSA certificate is being signed using openssl commands. Am not seeing any issue with RSA baesd ciphers. But only with ECDSA based ciphers having problem on my setup. Can you please share will the certificate loading is something different than RSA? Thanks, Rajeswari. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users