boost asio with ECDSA certificate issue

Question

I am implementing SSL server using boost::asio.

The context initialization is shown in below code

    boost::asio::ssl::context_base::method SSL_version =
            static_cast<boost::asio::ssl::context_base::method>(param_values[ID_PROTOCOL_VERSION].int32_value);

    // load certificate files
    boost::shared_ptr<boost::asio::ssl::context> context_ = boost::shared_ptr<boost::asio::ssl::context>(
            new boost::asio::ssl::context(SSL_version));     
    p_ctx = boost::static_pointer_cast<void>(context_);

    context_->set_options(boost::asio::ssl::context::default_workarounds);

    context_->use_certificate_chain_file(cert_chain_file);
    context_->use_certificate_file(cert_file, boost::asio::ssl::context::pem);
    context_->use_private_key_file(cert_file, boost::asio::ssl::context::pem);

    context_->set_verify_mode(boost::asio::ssl::verify_peer | boost::asio::ssl::verify_fail_if_no_peer_cert);
    context_->set_verify_callback(boost::bind(&verify_certificate_cb, _1, _2));

    if (param_values[ID_CIPHER_LIST].int32_value != 0)
    {
        std::string cipher_list = "";
        generate_cipher_list(param_values[ID_CIPHER_LIST].int32_value, cipher_list);
        MA5G_logger::log(PRIORITY_INFO, "Supported cipher list %s", cipher_list.c_str());
        SSL_CTX_set_cipher_list((reinterpret_cast<boost::asio::ssl::context*>(p_ctx.get()))->native_handle(),
                cipher_list.c_str());
    }

in the cipher_list, I am supporting below list

AES128-SHA:AES256-SHA:AES128-SHA256:AES256-SHA256:AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA

With ECDSA certificates if I use cipher_list given above then client can not connect to the server and gives error "No shared cipher". But if I do not give cipher_list then the client can successfully connect to the server. The same cipher list works fine with RSA certificates.

The same ECDSA certificates work fine if I use openssl s_server with -cipher option to provide supported cipher_list

Can anyone help with this issue?

Answer 1

No sorry buddy I found the answer after lot of research.

The problem is with the cipher list and not with the code / certificate.

The same certificate uses ECDHE-ECDSA-AES256-SHA cipher with openssl client-server while used ECDH-ECDSA-AES256-SHA cipher for boost asio SSL client-server.

Anyways thanks @rkyser for your help!

Answer 2

I found this buried in the FAQ of the openssl-1.0.1 source code:

• Why can't I make an SSL connection to a server using a DSA certificate?

Typically you'll see a message saying there are no shared ciphers when the same setup works fine with an RSA certificate. There are two possible causes. The client may not support connections to DSA servers most web browsers (including Netscape and MSIE) only support connections to servers supporting RSA cipher suites. The other cause is that a set of DH parameters has not been supplied to the server. DH parameters can be created with the dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example: check the source to s_server in apps/s_server.c for an example.

So based on this, make sure you are setting your DH parameters using SSL_CTX_set_tmp_dh().