Score:0

How to force openssl/s_client to send a keyshare for the specific elliptic curve (secp256r1)?

kw flag
LUN

I want to test my server application (TLS 1.3) using s_client program from the openssl library and I need to get from the s_client a keyshare in the 1st ClientHello for secp256r1 (it proposes x25519 now).
Could you tell me, which command line options in s_client should I use ?

Score:1
cn flag

Use -curves or (synonym) -groups to specify all 'supported' groups, with the one you want offered in key_share FIRST, e.g. -curves secp256r1:secp384r1:X25519.

LUN avatar
kw flag
LUN
@dave_thomson_085, thank you very much - it helped! By the way, could you tell me - is server certificate sending a mandatory step in TLS 1.3 handshaking ? Or it can be skipped ?
dave_thompson_085 avatar
cn flag
LUN: that's a different question, and not really crypto, but yes server cert is mandatory in 1.3 except when using PSK which in practice means except for 'resumption'; see 2nd para of [rfc8446 4.4.2](https://www.rfc-editor.org/rfc/rfc8446.html#section-4.4.2)
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.