1 Topic by artur (edited by artur 2023-06-02 12:06:22)

  • Registered: 2023-06-02
  • Posts: 3

Topic: "Don't have ECC" server error for static DH suite

Hi All,

trying WolfSLL v5.6.0-stable.

build option:

./configure --enable-pkcs11 --enable-ecc --enable-debug

diff wolfssl/wolfcrypt/settings.h:

-/* #define WOLFSSL_STATIC_DH */
+#define WOLFSSL_STATIC_DH

OS: ubuntu 20.04

server:

./example/server/server -l TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

client:

./example/client/client -l TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

error on server side:

...
Requires ECC
Don't have ECC
...

full output in attachments

The ssl->options.haveECC is 0 on server side, and I can't find a way to enable it.

Please help to fix,
thank you

Post's attachments

server.output 2.94 kb, 1 downloads since 2023-06-02 

You don't have the permssions to download the attachments of this post.

Share

  • Registered: 2018-08-27
  • Posts: 14

Re: "Don't have ECC" server error for static DH suite

Hi artur,

The issue that debug is trying to show is that the server doesn't have an ECC key or certificate.
Please try the following server command line:

./example/server/server -l TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 -c ./certs/server-ecc-rsa.pem -k ./certs/ecckey.pem

Alternatively, if you are using ECC for all certificates in the chain, then this pair of command lines show the use:

./example/server/server -l TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 -c ./certs/server-ecc.pem -k ./certs/ecckey.pem
./example/client/client -l TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 -A ./certs/ca-ecc-cert.pem

Note that, by default, the client and server will use RSA keys and certificates.
These command lines are explicitly loading ECC keys and certificates. If you compile out RSA, then ECC keys and certificates are used by default.

Let us know if this works for you.

Sean

--
Sean Parkinson, wolfSSL
Senior Software Engineer

Share

  • Registered: 2023-06-02
  • Posts: 3

Re: "Don't have ECC" server error for static DH suite

Hi Sean,

Thanks a lot for your help.

You were absolutely correct,

I regenerated my certs with:

openssl ecparam -genkey -name prime256v1 -out key.pem
openssl req -new -sha256 -key key.pem -out csr.csr
openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem

and it appears to be working now.

Share

  • Registered: 2018-08-27
  • Posts: 14

Re: "Don't have ECC" server error for static DH suite

Hi artur

Glad to be able to help!

Thanks for the confirmation,
Sean :-)

Share