Honzab wrote:
>> I used Wireshark to watch the traffic and found a very strange behavior
>> (the reason of the connection failure):
Please use ssltap instead. Save all the output and any cert.NNN files that
it creates.
>> - ClientHello packet contains (among others) suite 0xC014
>> (TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA).
>> - ServerHello packet contains this suite as negotiated to be used for
>> the ssl session
>> - Client answers with fatal alert: Handshake Failure (40)
>>
>> I did not investigate the reason deeply, but it might be potentialy a
>> bug in NSS 3.11 (?). Code in mozilla\security\nss\lib\ssl\ssl3con.c
>> line 4488
Are you referring to the call to ssl3_config_match_init() in function
ssl3_HandleServerHello() ?
>> doesn't consider the suite as suitable for the session and
>> breaks the negotiation with fatal alert. This is strange, because the
>> client socket sent this suite in the list of suits as available for the
>> session.
Indeed. It makes me quite curious to see the ssltap output.
I really want to see the client hello message, and the server's full
response to it. Please use ssltap from NSS 3.11.3.
Invoke ssltap like this:
ssltap -sxlp <listen port> <server DNS name>:<server port>
e.g. if running on the system with the SSL server, this can be
ssltap -sxlp 444 localhost:443
then connect to port 444 on the server host, and ssltap on that host will
then connect to its localhost port 443.
Or if running ssltap on the SSL client system,
ssltap -sxlp 443 remotehost:443
then connect the SSL client to localhost:443 and ssltap will connect to
remotehost:443
Or run ssltap on a third machine (neither client nor server) and run it
as
ssltap -sxlp 443 serverhost:443
then connect to thirdmachine:443 and it will connect to serverhost:443
Julien Pierre wrote:
>
> Does this error also occur with NSS 3.11.3 ? Many ECC related bugs were
> fixed after the original NSS 3.11 . If you aren't using the latest,
> please upgrade.
Yes, the version of NSS in some of the FF 2.0 Betas had some issues.
If you're running one of those versions, do try it with the latest NSS,
or an older one.
> If the problem still occurs, you might need to file a bug. You'll need
> to provide all the information to reproduce the problem, ideally your
> server cert and private key in a PKCS#12 file if you can, and
> instructions on how to reproduce with the NSS tools tstclnt and selfserv.
We won't need your private key. I'd prefer the ssltap output, including
the output to stdout and stderr, and any cert.NNN files that ssltap creates.
--
Nelson B
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
