[sr-dev] [kamailio/kamailio] TLS Client Verification OpenSSL 1.1.1(P-256) to OpenSSL 1.0.2 (P-521) is failing (#2716)
space88man
notifications at github.com
Tue Apr 27 18:33:26 CEST 2021
I have done the following test:
In `tls_domain.c`, comment out the usage of a P-256 curve
```C
/*
* ECDHE is enabled only on OpenSSL 1.0.0e and later.
* See http://www.openssl.org/news/secadv_20110906.txt
* for details.
*/
#ifndef OPENSSL_NO_ECDH
static void setup_ecdh(SSL_CTX *ctx)
{
EC_KEY *ecdh;
if (SSLeay() < 0x1000005fL) {
return;
}
// ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
// SSL_CTX_set_tmp_ecdh(ctx, ecdh);
// EC_KEY_free(ecdh);
}
#endif
```
In this case everything works as expected; I can set `cipher_list` in both `[server:default]` and `[client:default]` and the TLS handshake will succeed in both directions.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2716#issuecomment-827746031
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20210427/2556481d/attachment.htm>
More information about the sr-dev
mailing list