Hi,

I have problems to establish a SSL connection where the server certificate is
based on an EC key. I first tried via the c-api, but I can't make it working
even with the command line tool. This is what I did:


xxx:~./openssl ecparam -name secp256r1 -genkey -out ecc1.pem
using curve name prime256v1 instead of secp256r1

xxx:~./openssl ec -in ecc1.pem -des3 -out ecc1.key
read EC key
writing EC key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:

xxx:~./openssl req -config ./openssl.cnf -new -x509 -days 365 -key ecc1.key -out
ecc1.crt
Enter pass phrase for ecc1.key:
You are about to be asked to enter information that will be incorporated
........

xxx:~./openssl s_server -accept 1000 -cert ecc1.crt -key ecc1.key
Enter pass phrase for ecc1.key:
Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT
ERROR
8664:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1037:
shutting down SSL
CONNECTION CLOSED
ACCEPT
ERROR
8664:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared
cipher:s3_srvr.c:1037:
shutting down SSL
CONNECTION CLOSED


I can't connect via Firefox2 and also not with openssl using the s_client option.

Also the pages reachable from http://ecc.fedora.redhat.com/ will not work with
openssl but will work with my Firefox.


xxx:~./openssl s_client -host ecc.fedora.redhat.com -port8443
CONNECTED(00000003)
8682:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake
failure:s23_clnt.c:580:

xxx:~./openssl version OpenSSL 0.9.8h 28 May 2008

Any ideas what goes wrong?

Thanks
Jan
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org