Yes, it's only required on the server. Norm Green On 5/25/16 14:10, Jeremy Farrell wrote: > Interesting; is this a server-side requirement? I ask because with > 1.0.2g my client using "AECDH+AES:ADH+AES" makes a TLS 1.2 connection > with AECDH-AES256-SHA without calling this function or similar. > > Regards, > jjf > > On 25/05/2016 21:31, Norm Green wrote: >> Yes! That was the problem. In order to use cipher "AECDH", >> SSL_CTX_set_ecdh_auto(ctx, 1) must be called first. >> >> Thanks Michael!! >> >> Norm >> >> >> On 5/24/16 15:52, Michael Wojcik wrote: >>>> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On >>>> Behalf >>>> Of Norm Green >>>> Sent: Tuesday, May 24, 2016 13:40 >>>> >>>> I've tried both: >>>> >>>> SSL_CTX_set_cipher_list("AECDH") >>>> >>>> and: >>>> >>>> SSL_CTX_set_cipher_list("AECDH-AES256-SHA") >>>> >>>> on both the client and server side, both of which result in the >>>> dreaded >>>> "no shared cipher" error: >>>> >>>> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared >>>> cipher:s3_srvr.c:1417: >>> You might run a wire trace to see what suites the client is actually >>> advertising. >>> >>> And you are using TLS, right? >>> >>> For AECDH* (or any ECC suite), don't you have to tell OpenSSL what >>> curve to use? I haven't implemented that bit myself in any >>> applications, but my understanding is that with OpenSSL 1.0.2 you >>> can just call SSL_CTX_set_ecdh_auto(ctx, 1). With 1.0.1 you have to >>> specify a particular named curve with SSL_CTX_set_tmp_ecdh. > > -- > J. J. Farrell > Not speaking for Oracle > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160525/e659a570/attachment.html>
