[OpenSIPS-Users] Support for ECDHE ciphersuites in TLS???

AJ aunt.jomamma at yahoo.com
Wed Sep 26 20:54:32 CEST 2012


I have OpenSIPS 1.7.2 working fine with TLS 1.0, running on CentOS 6.3

However, now I want to use some ECDHE ciphersuites, for instance:  ECDHE-ECDSA-AES128-SHA
I have built an appropriate OpenSSL (1.0.0j) in CentOS to support this, and have generated the appropriate certs:

openssl ecparam -out ca-privkey.pem -name secp256r1 -genkey -outform pem
openssl req -x509 -new -key ca-privkey.pem -out ca_cert.pem -outform PEM -days 3650
openssl ecparam -out privkey.pem -name secp256r1 -genkey -outform pem
openssl req -new -nodes -key privkey.pem -outform pem -out cert_req.pem
openssl ca -keyfile ca-privkey.pem  -cert ca_cert.pem -in cert_req.pem -out cert.pem

However, when I try to connect from my phone I am always getting:
Sep 23 03:32:10 opensips /usr/sbin/opensips[1576]: ERROR:core:tls_accept: some error in SSL (ret=-1, err=1, errno=0/Success):
Sep 23 03:32:10 opensips /usr/sbin/opensips[1576]: ERROR:core:tls_print_errstack: error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher

If I use the OpenSSL s_server test-tool, I can connect from my phone just fine with these certs:
openssl s_server -accept 8888 -cert cert.pem -key key.pem -pass stdin -CAfile calist.pem -cipher ECDHE-ECDSA-AES128-SHA

Does OpenSIPS support ECDHE ciphersuites?
If so, what am I doing wrong?


More information about the Users mailing list