Hi all,

I need TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 cipher suit. its old static ECDH.

I tested it with example/client and example/server, works just fine.

I also need to keep keys in PKCS11 storage.

I took example from https://github.com/wolfSSL/wolfssl-exam … cs11-ecc.c:

then test it with TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (it's not static), work just fine.

BUT...

When I use static ECDH and PKCS11 it doens't work!

I took server-tls-pkcs11-ecc.c as a base then add static ECDH cipher:

wolfSSL_CTX_set_cipher_list(ctx, "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256")

then run...

and then after connection I have a handshake error:

wolfSSL Leaving DoClientHello, return -501

the cause is that "ctx->haveStaticECC" property is false.
it set to true during setting private key, but in case of PKCS11 private key is not extractble.

also I'd like to highlight that ECDH with private.pem file works, ECDHE with PKCS11 works,
ECDH with PKCS11 fails.

my build options:

./configure --enable-pkcs11 --enable-ecc --enable-trustedca --enable-renegotiation-indication --enable-debug

and also enabled WOLFSSL_STATIC_DH in settings.h

If someone knows any approach how to fix it, I'd kindly ask to share it.
thank you.

P.S.
I did "ctx->haveStaticECC = 1;" manually, it crashes in DoClientKeyExchange because ssl->hskey->dp is NULL, and according to PKCS11 sniffer it didn't even try to get EC_POINT from PKCS11 storage.

Hi Sean,

Thanks a lot for your help.

You were absolutely correct,

I regenerated my certs with:

openssl ecparam -genkey -name prime256v1 -out key.pem
openssl req -new -sha256 -key key.pem -out csr.csr
openssl req -x509 -sha256 -days 365 -key key.pem -in csr.csr -out certificate.pem

and it appears to be working now.

Hi All,

trying WolfSLL v5.6.0-stable.

build option:

./configure --enable-pkcs11 --enable-ecc --enable-debug

diff wolfssl/wolfcrypt/settings.h:

-/* #define WOLFSSL_STATIC_DH */
+#define WOLFSSL_STATIC_DH

OS: ubuntu 20.04

server:

./example/server/server -l TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

client:

./example/client/client -l TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256

error on server side:

...
Requires ECC
Don't have ECC
...

full output in attachments

The ssl->options.haveECC is 0 on server side, and I can't find a way to enable it.

Please help to fix,
thank you