Project

General

Profile

Actions
Copy link

Bug #1959

closed

openssl does not accept ECC-certificates

Added by Michal Fresel over 13 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Operating System
Target version:
-
Start date:
01/13/2011
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
2.0
Affected Architecture:

Description

The default openssl-package will not work with ECC-certificates

/usr/bin/openssl version
OpenSSL 0.9.8n 24 Mar 2010
reproduce
  • create ecc-certificate
    /usr/bin/openssl ecparam -name prime192v1 -genkey -out prime192v1.key
/usr/bin/openssl req -new -key prime192v1.key -out prime192v1.csr
/usr/bin/openssl req -x509 -in prime192v1.csr -key prime192v1.key -out prime192v1.crt
  • start test-server on port 8888 in first terminal
    /usr/bin/openssl  s_server -cert prime192v1.crt -key prime192v1.key -port 8888
  • start client in 2nd terminal 
     /usr/bin/openssl s_client -port 8888
  • output
    CONNECTED(00000004)
45338:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s23_clnt.c:599:
ERROR
25807:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:/usr/src/secure/lib/libssl/../../../crypto/openssl/ssl/s3_srvr.c:1068:
shutting down SSL
CONNECTION CLOSED
ACCEPT

an upgrade to OpenSSL 1.0.0e 6 Sep 2011 works (via pkg-add)

  • start server
    /usr/local/bin/openssl s_server -cert prime192v1.crt -key prime192v1.key -port 8888
  • start client
    /usr/local/bin/openssl s_client -port 8888
  • output
    CONNECTED(00000004)
depth=0 C = US, ST = Somewhere, L = Somecity, O = CompanyName, OU = "Organizational Unit Name (eg, section)", CN = "Common Name (eg, YOUR name)", emailAddress = Email Address
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Somewhere, L = Somecity, O = CompanyName, OU = "Organizational Unit Name (eg, section)", CN = "Common Name (eg, YOUR name)", emailAddress = Email Address
verify return:1
---
-----BEGIN SSL SESSION PARAMETERS-----
MFoCAQECAgMBBALACgQABDAtTrtYpbRtJhMg+8pcl9EXlZkqBNwZ0C6AnOT3tuxG
7oqS41Msu/sXkNgFbU0UI6qhBgIETpnLoaIEAgIBLKQGBAQBAAAAqwMEAQE=
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:IDEA-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:EDH-RSA-DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:DES-CBC-SHA:EXP-EDH-RSA-DES-CBC-SHA:EXP-EDH-DSS-DES-CBC-SHA:EXP-DES-CBC-SHA:EXP-RC2-CBC-MD5:EXP-RC4-MD5
CIPHER is ECDHE-ECDSA-AES256-SHA
Secure Renegotiation IS supported
Certificate chain
 0 s:/C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
   i:/C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDfzCCAzagAwIBAgIJALpD23AcmRIkMAkGByqGSM49BAEwgb8xCzAJBgNVBAYT
AlVTMRIwEAYDVQQIEwlTb21ld2hlcmUxETAPBgNVBAcTCFNvbWVjaXR5MRQwEgYD
VQQKEwtDb21wYW55TmFtZTEvMC0GA1UECxMmT3JnYW5pemF0aW9uYWwgVW5pdCBO
YW1lIChlZywgc2VjdGlvbikxJDAiBgNVBAMTG0NvbW1vbiBOYW1lIChlZywgWU9V
UiBuYW1lKTEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVzczAeFw0xMTEwMTUx
NzU3MDhaFw0xMTExMTQxNzU3MDhaMIG/MQswCQYDVQQGEwJVUzESMBAGA1UECBMJ
U29tZXdoZXJlMREwDwYDVQQHEwhTb21lY2l0eTEUMBIGA1UEChMLQ29tcGFueU5h
bWUxLzAtBgNVBAsTJk9yZ2FuaXphdGlvbmFsIFVuaXQgTmFtZSAoZWcsIHNlY3Rp
b24pMSQwIgYDVQQDExtDb21tb24gTmFtZSAoZWcsIFlPVVIgbmFtZSkxHDAaBgkq
hkiG9w0BCQEWDUVtYWlsIEFkZHJlc3MwSTATBgcqhkjOPQIBBggqhkjOPQMBAQMy
AATwe4TgnmeF9DLy46jL+FxRDZFDGe+53vo0AP7xDomVrvNkSTVOt1RvsfuZ3yOT
y4CjggEoMIIBJDAdBgNVHQ4EFgQUSxcxJK2NOd1DBgEFhUau7mhAYIcwgfQGA1Ud
IwSB7DCB6YAUSxcxJK2NOd1DBgEFhUau7mhAYIehgcWkgcIwgb8xCzAJBgNVBAYT
AlVTMRIwEAYDVQQIEwlTb21ld2hlcmUxETAPBgNVBAcTCFNvbWVjaXR5MRQwEgYD
VQQKEwtDb21wYW55TmFtZTEvMC0GA1UECxMmT3JnYW5pemF0aW9uYWwgVW5pdCBO
YW1lIChlZywgc2VjdGlvbikxJDAiBgNVBAMTG0NvbW1vbiBOYW1lIChlZywgWU9V
UiBuYW1lKTEcMBoGCSqGSIb3DQEJARYNRW1haWwgQWRkcmVzc4IJALpD23AcmRIk
MAwGA1UdEwQFMAMBAf8wCQYHKoZIzj0EAQM4ADA1AhgNrpwjf7Qe61TxRbG84gyX
xPu7mPBxLg8CGQCg6Y2GKZ77wS2dK7AeI0e9aEr+eTZNnEw=
-----END CERTIFICATE-----
subject=/C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
issuer=/C=US/ST=Somewhere/L=Somecity/O=CompanyName/OU=Organizational Unit Name (eg, section)/CN=Common Name (eg, YOUR name)/emailAddress=Email Address
---
No client certificate CA names sent
---
SSL handshake has read 1358 bytes and written 345 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-SHA
Server public key is 192 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-ECDSA-AES256-SHA
    Session-ID: DE6E578B3AF5724CF27CA640BA841F5DF4F47F57CF18E13371C4487B18718214
    Session-ID-ctx: 
    Master-Key: 2D4EBB58A5B46D261320FBCA5C97D11795992A04DC19D02E809CE4F7B6EC46EE8A92E3532CBBFB1790D8056D4D1423AA
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket:
    0000 - 76 63 33 35 d9 c6 fd ee-85 b9 64 8e 54 2c 60 ae   vc35......d.T,`.
    0010 - 5b 1f 37 e4 08 1e 56 08-c1 f8 75 83 7d 3a 69 73   [.7...V...u.}:is
    0020 - 7f 81 6d ab d5 a3 68 09-c4 b8 2d 23 34 46 e8 88   ..m...h...-#4F..
    0030 - e9 dd 5f 9f eb ee 11 cb-f9 32 c9 8d fd bf 04 10   .._......2......
    0040 - c6 9b 84 1b c4 9a df aa-56 b8 3d 58 13 e7 23 99   ........V.=X..#.
    0050 - 36 93 10 b7 e3 a6 97 9f-49 12 46 34 5d fb 32 f5   6.......I.F4].2.
    0060 - 5c d8 6e 56 48 2e 7a ce-da 66 dd b4 5c c6 66 87   \.nVH.z..f..\.f.
    0070 - ea 07 d2 73 0c 5c e1 9f-80 6c 62 96 75 7f 21 e3   ...s.\...lb.u.!.
    0080 - c0 4a 8d 73 d5 1a d0 5b-48 50 ef ad 89 9e 19 70   .J.s...[HP.....p
    0090 - ac 80 70 0c a6 60 2e 62-20 d4 69 cb 00 84 2e 9a   ..p..`.b .i.....

    Compression: 1 (zlib compression)
    Start Time: 1318701985
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
Actions
Copy link
 #1

Updated by Michal Fresel over 13 years ago

related to this one #1851

Actions
Copy link
 #2

Updated by Michal Fresel over 13 years ago

funny that it's possible to create a ecc-certificate using the older binary but it only works on the newer one ….

Actions
Copy link
 #3

Updated by Jim Pingle about 12 years ago

  • Status changed from New to Feedback

On 2.1 we use OpenSSL 1.0.1e (or later) so it's worth trying again there.

Actions
Copy link
 #4

Updated by Chris Buechler over 10 years ago

  • Status changed from Feedback to Resolved
Actions
Copy link

Also available in: Atom PDF