tls handshake fail using cipher ECDHE-ECDSA-AES256-GCM-SHA384

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

tls handshake fail using cipher ECDHE-ECDSA-AES256-GCM-SHA384

johan persson
I have problem doing handshake using "ECDHE-ECDSA-AES256-GCM-SHA384" cipher. 
OpenSSL 1.0.2h 

This is how I generate test certificates. 
openssl ecparam -out /data/ca.key -name secp256k1 -genkey 
openssl req -x509 -new -key /data/ca.key -out /data/ca.pem -outform PEM -days 3650 -subj '/C=SE/ST=S/L=M/O=V/CN=SERVER 
openssl ecparam -out /data/server.key -name secp256k1 -genkey 
openssl req -new -nodes -key /data/server.key -outform pem -out /data/server.req -subj '/C=SE/ST=S/L=M/O=V/CN=SERVER' 
openssl ecparam -out /data/client.key -name secp256k1 -genkey 
openssl req -new -nodes -key /data/client.key -outform pem -out /data/client.req -subj '/C=SE/ST=S/L=M/O=V/CN=CLIENT' 
openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in /data/server.req -out /data/server.pem -outdir /data/ 
openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in /data/client.req -out /data/client.pem -outdir /data/ 


Running the following test: 
openssl s_server -accept 10000 -cert server.pem -key server.key -CAfile ca.pem -debug -tlsextdebug 
openssl s_client -connect localhost:10000 -cert client.pem -key client.key -CAfile ca.pem -tls1_2 

I get a handshake working ok with the cipher I want "ECDHE-ECDSA-AES256-GCM-SHA384", perfect!: 


Now, using my own tls server I only get "ECDH-ECDSA-AES256-GCM-SHA384" to work. I cannot use "ECDHE-ECDSA-AES256-GCM-SHA384" which I want. 
Anyone knows what I'm missing from the following setup?: 

#define VOC_TLS_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384" << NOT WORKING 
//#define VOC_TLS_CIPHERS "ECDH-ECDSA-AES256-GCM-SHA384" << WORKING 

// Init for OpenSSL 
SSL_library_init(); 
OpenSSL_add_all_algorithms(); 
SSL_load_error_strings(); 

ctx_ = SSL_CTX_new(TLSv1_2_server_method()); 
if (ctx_ == NULL) 

   LOG(LOG_WARN, "Tls: %s: Failed to create TLS context", __FUNCTION__); 
   return RET_FAIL; 


(Load Ca cert, server and server private key) 

if (SSL_CTX_set_ecdh_auto(ctx_, 1)) { 
   LOG(LOG_WARN, "Tls: %s: Failed to set ECDH auto pick", __FUNCTION__); 
   return RET_FAIL; 


if (!SSL_CTX_set_cipher_list(ctx_, VOC_TLS_CIPHERS)) { 
    LOG(LOG_WARN, "Tls: %s: Failed to set cipher list: %s\n", __FUNCTION__, VOC_TLS_CIPHERS); 
    return RET_FAIL; 


ssl_ = SSL_new(ctx_); 

error on server side:
<ECDHE-ECDSA-AES256-GCM-SHA384> 
Server has 1 from 0xb475ef98: 
0xb6daa440:ECDHE-ECDSA-AES256-GCM-SHA384 
Client sent 1 from 0xb3502308: 
0xb6daa440:ECDHE-ECDSA-AES256-GCM-SHA384 
rt=0 rte=0 dht=0 ecdht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 
0:[00000080:00000040:00000140:000000D4]0xb6daa440:ECDHE-ECDSA-AES256-GCM-SHA384 
2958031164:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1417: 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: tls handshake fail using cipher ECDHE-ECDSA-AES256-GCM-SHA384

Pravesh Rai
Following link might give you, some clue about the problem:


Regards,
PR

On Fri, Jan 12, 2018 at 9:27 PM, johan persson <[hidden email]> wrote:
I have problem doing handshake using "ECDHE-ECDSA-AES256-GCM-SHA384" cipher. 
OpenSSL 1.0.2h 

This is how I generate test certificates. 
openssl ecparam -out /data/ca.key -name secp256k1 -genkey 
openssl req -x509 -new -key /data/ca.key -out /data/ca.pem -outform PEM -days 3650 -subj '/C=SE/ST=S/L=M/O=V/CN=SERVER 
openssl ecparam -out /data/server.key -name secp256k1 -genkey 
openssl req -new -nodes -key /data/server.key -outform pem -out /data/server.req -subj '/C=SE/ST=S/L=M/O=V/CN=SERVER' 
openssl ecparam -out /data/client.key -name secp256k1 -genkey 
openssl req -new -nodes -key /data/client.key -outform pem -out /data/client.req -subj '/C=SE/ST=S/L=M/O=V/CN=CLIENT' 
openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in /data/server.req -out /data/server.pem -outdir /data/ 
openssl ca -batch -keyfile /data/ca.key -cert /data/ca.pem -in /data/client.req -out /data/client.pem -outdir /data/ 


Running the following test: 
openssl s_server -accept 10000 -cert server.pem -key server.key -CAfile ca.pem -debug -tlsextdebug 
openssl s_client -connect localhost:10000 -cert client.pem -key client.key -CAfile ca.pem -tls1_2 

I get a handshake working ok with the cipher I want "ECDHE-ECDSA-AES256-GCM-SHA384", perfect!: 


Now, using my own tls server I only get "ECDH-ECDSA-AES256-GCM-SHA384" to work. I cannot use "ECDHE-ECDSA-AES256-GCM-SHA384" which I want. 
Anyone knows what I'm missing from the following setup?: 

#define VOC_TLS_CIPHERS "ECDHE-ECDSA-AES256-GCM-SHA384" << NOT WORKING 
//#define VOC_TLS_CIPHERS "ECDH-ECDSA-AES256-GCM-SHA384" << WORKING 

// Init for OpenSSL 
SSL_library_init(); 
OpenSSL_add_all_algorithms(); 
SSL_load_error_strings(); 

ctx_ = SSL_CTX_new(TLSv1_2_server_method()); 
if (ctx_ == NULL) 

   LOG(LOG_WARN, "Tls: %s: Failed to create TLS context", __FUNCTION__); 
   return RET_FAIL; 


(Load Ca cert, server and server private key) 

if (SSL_CTX_set_ecdh_auto(ctx_, 1)) { 
   LOG(LOG_WARN, "Tls: %s: Failed to set ECDH auto pick", __FUNCTION__); 
   return RET_FAIL; 


if (!SSL_CTX_set_cipher_list(ctx_, VOC_TLS_CIPHERS)) { 
    LOG(LOG_WARN, "Tls: %s: Failed to set cipher list: %s\n", __FUNCTION__, VOC_TLS_CIPHERS); 
    return RET_FAIL; 


ssl_ = SSL_new(ctx_); 

error on server side:
<ECDHE-ECDSA-AES256-GCM-SHA384
Server has 1 from 0xb475ef98: 
0xb6daa440:ECDHE-ECDSA-AES256-GCM-SHA384 
Client sent 1 from 0xb3502308: 
0xb6daa440:ECDHE-ECDSA-AES256-GCM-SHA384 
rt=0 rte=0 dht=0 ecdht=0 re=0 ree=0 rs=0 ds=0 dhr=0 dhd=0 
0:[00000080:00000040:00000140:000000D4]0xb6daa440:ECDHE-ECDSA-AES256-GCM-SHA384 
2958031164:error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher:s3_srvr.c:1417: 

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users