> On Tue, Sep 23, 2014 at 10:16 AM, Alexander Rumyantsev > <alexander at rumyantsev.com> wrote: >> OpenSSL @RHEL supports following curves: >> >> # openssl ecparam -list_curves >> secp384r1 : NIST/SECG curve over a 384 bit prime field >> secp521r1 : NIST/SECG curve over a 521 bit prime field >> prime256v1: X9.62/SECG curve over a 256 bit prime field >> >> So, adding ":-CURVE-SECP192R1:-CURVE-SECP224R1:-CURVE-SECP256R1" to DEFAULT_PRIO in gnutls.c solved the problem, but now I don't know how to implement it correctly: wether to hardcode or to add an option like "--disable-incompatible-ec>> >> The main problem is that I can't figure out wether it's a GnuTLS bug, or OpenSSL bug, or RedHat bug in SSL/TLS handshake. > > That looks like a bug in the modified for rhel-6.5 openssl, handling > of curves. A disabled curve shouldn't have been negotiated. I'd > suggest to take a capture of a failed connection and submit a bug > report for your rhel version. Thanks, will investigate and report.
