On Tue, Sep 23, 2014 at 10:16 AM, Alexander Rumyantsev <alexander at rumyantsev.com> wrote: > OpenSSL @RHEL supports following curves: > > # openssl ecparam -list_curves > secp384r1 : NIST/SECG curve over a 384 bit prime field > secp521r1 : NIST/SECG curve over a 521 bit prime field > prime256v1: X9.62/SECG curve over a 256 bit prime field > > So, adding ":-CURVE-SECP192R1:-CURVE-SECP224R1:-CURVE-SECP256R1" to DEFAULT_PRIO in gnutls.c solved the problem, but now I don't know how to implement it correctly: wether to hardcode or to add an option like "--disable-incompatible-ec>> > The main problem is that I can't figure out wether it's a GnuTLS bug, or OpenSSL bug, or RedHat bug in SSL/TLS handshake. That looks like a bug in the modified for rhel-6.5 openssl, handling of curves. A disabled curve shouldn't have been negotiated. I'd suggest to take a capture of a failed connection and submit a bug report for your rhel version. regards, Nikos
