Interesting; is this a server-side requirement? I ask because with
1.0.2g my client using "AECDH+AES:ADH+AES" makes a TLS 1.2 connection
with AECDH-AES256-SHA without calling this function or similar.
Regards,
jjf
On 25/05/2016 21:31, Norm Green wrote:
> Yes! That was the problem. In order to use cipher "AECDH",
> SSL_CTX_set_ecdh_auto(ctx, 1) must be called first.
>
> Thanks Michael!!
>
> Norm
>
>
> On 5/24/16 15:52, Michael Wojcik wrote:
>>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On
>>> Behalf
>>> Of Norm Green
>>> Sent: Tuesday, May 24, 2016 13:40
>>>
>>> I've tried both:
>>>
>>> SSL_CTX_set_cipher_list("AECDH")
>>>
>>> and:
>>>
>>> SSL_CTX_set_cipher_list("AECDH-AES256-SHA")
>>>
>>> on both the client and server side, both of which result in the dreaded
>>> "no shared cipher" error:
>>>
>>> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
>>> cipher:s3_srvr.c:1417:
>> You might run a wire trace to see what suites the client is actually
>> advertising.
>>
>> And you are using TLS, right?
>>
>> For AECDH* (or any ECC suite), don't you have to tell OpenSSL what
>> curve to use? I haven't implemented that bit myself in any
>> applications, but my understanding is that with OpenSSL 1.0.2 you can
>> just call SSL_CTX_set_ecdh_auto(ctx, 1). With 1.0.1 you have to
>> specify a particular named curve with SSL_CTX_set_tmp_ecdh.
--
J. J. Farrell
Not speaking for Oracle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160525/78621bb6/attachment.html>
