On Mon, May 31, 2021 at 04:42:55PM +0200, Marcin Gryszkalis via Exim-users wrote:
> openssl s_client -connect 127.0.0.1:465 -tls1_2 -cipher ECDHE-ECDSA-AES256-GCM-SHA384
> But - I tried to specify the curve and it failed
>
> openssl s_client -connect 127.0.0.1:465 -tls1_2 -cipher
> ECDHE-ECDSA-AES256-GCM-SHA384 -curves prime256v1
>
> CONNECTED(00000004)
> 34380884168:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:/usr/src/crypto/openssl/ssl/s3_pkt.c:1498:SSL alert number 40
> 34380884168:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:/usr/src/crypto/openssl/ssl/s3_pkt.c:659:
>
> prime256v1 = secp256r1
>
> I checked on exim built on FreeBSD 12 (with openssl 1.1) and it works fine - but fails on other installation with openssl 1.0.
So what version of FreeBSD and OpenSSL are on the system with the
reported issue? Support for negotiated ECDHE groups has evolved in
OpenSSL over time. With older OpenSSL releases unless group selection
is explicitly set to "auto", the server picks some single default group,
which may not match this particular client's choice.
--
Viktor.