Re: [sr-dev] [kamailio/kamailio] TLS Client Verification OpenSSL 1.1.1(P-256) to OpenSSL 1.0.2 (P-521) is failing (#2716)

I have done the following test: In `tls_domain.c`, comment out the usage of a P-256 curve ```C /* * ECDHE is enabled only on OpenSSL 1.0.0e and later. * See http://www.openssl.org/news/secadv_20110906.txt * for details. */ #ifndef OPENSSL_NO_ECDH static void setup_ecdh(SSL_CTX *ctx) { EC_KEY *ecdh; if (SSLeay() < 0x1000005fL) { return; } // ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); SSL_CTX_set_options(ctx, SSL_OP_SINGLE_ECDH_USE); // SSL_CTX_set_tmp_ecdh(ctx, ecdh); // EC_KEY_free(ecdh); } #endif ``` In this case everything works as expected; I can set `cipher_list` in both `[server:default]` and `[client:default]` and the TLS handshake will succeed in both directions. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/kamailio/kamailio/issues/2716#issuecomment-827746031