Honzab wrote: >> I used Wireshark to watch the traffic and found a very strange behavior >> (the reason of the connection failure):
Please use ssltap instead. Save all the output and any cert.NNN files that it creates. >> - ClientHello packet contains (among others) suite 0xC014 >> (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA). >> - ServerHello packet contains this suite as negotiated to be used for >> the ssl session >> - Client answers with fatal alert: Handshake Failure (40) >> >> I did not investigate the reason deeply, but it might be potentialy a >> bug in NSS 3.11 (?). Code in mozilla\security\nss\lib\ssl\ssl3con.c >> line 4488 Are you referring to the call to ssl3_config_match_init() in function ssl3_HandleServerHello() ? >> doesn't consider the suite as suitable for the session and >> breaks the negotiation with fatal alert. This is strange, because the >> client socket sent this suite in the list of suits as available for the >> session. Indeed. It makes me quite curious to see the ssltap output. I really want to see the client hello message, and the server's full response to it. Please use ssltap from NSS 3.11.3. Invoke ssltap like this: ssltap -sxlp <listen port> <server DNS name>:<server port> e.g. if running on the system with the SSL server, this can be ssltap -sxlp 444 localhost:443 then connect to port 444 on the server host, and ssltap on that host will then connect to its localhost port 443. Or if running ssltap on the SSL client system, ssltap -sxlp 443 remotehost:443 then connect the SSL client to localhost:443 and ssltap will connect to remotehost:443 Or run ssltap on a third machine (neither client nor server) and run it as ssltap -sxlp 443 serverhost:443 then connect to thirdmachine:443 and it will connect to serverhost:443 Julien Pierre wrote: > > Does this error also occur with NSS 3.11.3 ? Many ECC related bugs were > fixed after the original NSS 3.11 . If you aren't using the latest, > please upgrade. Yes, the version of NSS in some of the FF 2.0 Betas had some issues. If you're running one of those versions, do try it with the latest NSS, or an older one. > If the problem still occurs, you might need to file a bug. You'll need > to provide all the information to reproduce the problem, ideally your > server cert and private key in a PKCS#12 file if you can, and > instructions on how to reproduce with the NSS tools tstclnt and selfserv. We won't need your private key. I'd prefer the ssltap output, including the output to stdout and stderr, and any cert.NNN files that ssltap creates. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto