OpenSSL @RHEL supports following curves: # openssl ecparam -list_curves secp384r1 : NIST/SECG curve over a 384 bit prime field secp521r1 : NIST/SECG curve over a 521 bit prime field prime256v1: X9.62/SECG curve over a 256 bit prime field So, adding ":-CURVE-SECP192R1:-CURVE-SECP224R1:-CURVE-SECP256R1" to DEFAULT_PRIO in gnutls.c solved the problem, but now I don?t know how to implement it correctly: wether to hardcode or to add an option like "--disable-incompatible-ec? The main problem is that I can?t figure out wether it?s a GnuTLS bug, or OpenSSL bug, or RedHat bug in SSL/TLS handshake. Now I?m occasionally catching "SSL read error: Success.; reconnecting. Socket connect cancelled? error, will investigate. 23 ????. 2014 ?., ? 10:42, Alexander Rumyantsev <alexander at rumyantsev.com> ???????(?): > > Hi! > > I have ocserv running on RHEL 7 and openconnect on OS X 10.9+macports > Recently I decided to hide ocserv behind haproxy to separate anyconnect connections from browser connections by User-Agent header. > But i couldn?t establish connection due to following error: "SSL connection failure: curve not supported" > I think that?s because of RHEL ships with hobbled OpenSSL (against of which haproxy was built) with very limited elliptic curves support due to RH Legal patent fears. > > Don?t even know how to deal with this, or even it worth of dealing. > > P.S. I think the mode of external ssl termination with unix socket support will be very useful in ocserv. > > Best regards, > Alexander Rumyantsev
