[sr-dev] [kamailio/kamailio] TLS Client Verification OpenSSL 1.1.1(P-256) to OpenSSL 1.0.2 (P-521) is failing (#2716)

space88man notifications at github.com
Tue Apr 27 18:33:26 CEST 2021


I have done the following test:

In `tls_domain.c`, comment out the usage of a P-256 curve

```C
/*
 * ECDHE is enabled only on OpenSSL 1.0.0e and later.
 * See http://www.openssl.org/news/secadv_20110906.txt
 * for details.
 */
#ifndef OPENSSL_NO_ECDH
static void setup_ecdh(SSL_CTX *ctx)
{
   EC_KEY *ecdh;

   if (SSLeay() < 0x1000005fL) {
      return;
   }

   // ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
   SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE);
   // SSL_CTX_set_tmp_ecdh(ctx, ecdh);

   // EC_KEY_free(ecdh);
}
#endif
```

In this case everything works as expected; I can set `cipher_list` in both `[server:default]` and `[client:default]` and the TLS handshake will succeed in both directions. 


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2716#issuecomment-827746031
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20210427/2556481d/attachment.htm>


More information about the sr-dev mailing list