GnuTLS & OpenSSL incompatibility in RHEL

Alexander Rumyantsev alexander at
Tue Sep 23 01:16:35 PDT 2014

OpenSSL @RHEL supports following curves:

# openssl ecparam -list_curves 
  secp384r1 : NIST/SECG curve over a 384 bit prime field
  secp521r1 : NIST/SECG curve over a 521 bit prime field
  prime256v1: X9.62/SECG curve over a 256 bit prime field

So, adding ":-CURVE-SECP192R1:-CURVE-SECP224R1:-CURVE-SECP256R1" to DEFAULT_PRIO in gnutls.c solved the problem, but now I don’t know how to implement it correctly: wether to hardcode or to add an option like "--disable-incompatible-ec»

The main problem is that I can’t figure out wether it’s a GnuTLS bug, or OpenSSL bug, or RedHat bug in SSL/TLS handshake.

Now I’m occasionally catching "SSL read error: Success.; reconnecting. Socket connect cancelled» error, will investigate.

23 сент. 2014 г., в 10:42, Alexander Rumyantsev <alexander at> написал(а):

> Hi!
> I have ocserv running on RHEL 7 and openconnect on OS X 10.9+macports
> Recently I decided to hide ocserv behind haproxy to separate anyconnect connections from browser connections by User-Agent header.
> But i couldn’t establish connection due to following error: "SSL connection failure: curve not supported"
> I think that’s because of RHEL ships with hobbled OpenSSL (against of which haproxy was built) with very limited elliptic curves support due to RH Legal patent fears.
> Don’t even know how to deal with this, or even it worth of dealing.
> P.S. I think the mode of external ssl termination with unix socket support will be very useful in ocserv.
> Best regards,
> Alexander Rumyantsev

More information about the openconnect-devel mailing list