Re: [sr-dev] [kamailio/kamailio] TLS Client Verification OpenSSL 1.1.1(P-256) to OpenSSL 1.0.2 (P-521) is failing (#2716)

27 Apr 2021


      I have done the following test:
In `tls_domain.c`, comment out the usage of a P-256 curve
```C
/*
 * ECDHE is enabled only on OpenSSL 1.0.0e and later.
 * See http://www.openssl.org/news/secadv_20110906.txt
 * for details.
 */
#ifndef OPENSSL_NO_ECDH
static void setup_ecdh(SSL_CTX *ctx)
{
   EC_KEY *ecdh;
if (SSLeay() < 0x1000005fL) {
      return;
   }
// ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
   SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
   // SSL_CTX_set_tmp_ecdh(ctx, ecdh);
// EC_KEY_free(ecdh);
}
#endif
```
In this case everything works as expected; I can set `cipher_list` in both `[server:default]` and `[client:default]` and the TLS handshake will succeed in both directions.
-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2716#issuecomment-827746031

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

Re: [sr-dev] [kamailio/kamailio] TLS Client Verification OpenSSL 1.1.1(P-256) to OpenSSL 1.0.2 (P-521) is failing (#2716)