The “sslv3” text is misleading: it simply relates to the way the OpenSSL
internals are structured. Similarly, TLS_EMPTY_RENEGOTIATION_INFO_SCSV is a
“dummy” cipher suite used to signal to the server that renegotiation using RFC
5746 is supported: it’s not an actual cipher suite.
This error is almost certainly due to the remote server not having an ECDSA
certificate. When you say ECDHE-ECDSA-AES128-GCM-SHA256 you make it entirely
impossible to interoperate with servers that use RSA certificates, which is
probably not what you want to do. A more useful cipher suite string is
"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256”, which includes
both the ECDSA and RSA variants of this cipher suite.
Cory
> On 3 Jul 2017, at 15:11, Karan karan <karan7...@gmail.com> wrote:
>
> I set : cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256')
>
> but i see the following error in the logs :
>
> connected ('**.**.**.**', 443)
> Traceback (most recent call last):
> File "test_ex.py", line 83, in <module>
> main()
> File "test_ex.py", line 65, in main
> cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection()
> File "test_ex.py", line 33, in create_ssl_connection
> client_ssl.do_handshake()
> File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1638, in
> do_handshake
> File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 1378, in
> _raise_ssl_error
> File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in
> exception_from_error_queue
> OpenSSL.SSL.Error: [('SSL routines', 'ssl3_read_bytes', 'sslv3 alert
> handshake failure')]
>
> However when i see in the wireshark i do the following ciphers set in the set
> client hello:
> TLS_EMPTY_RENEGOTIATION_INFO_SCS and
> 'ECDHE-ECDSA-AES128-GCM-SHA256.
>
> Im using TLS 1.2 not sure why its complaining about ssv3 protocol and using
> and the TLS_EMPTY_RENEGOTIATION_INFO_SCS.
>
> I'd appreciate if someone could help out on it.
>
> Thanks,
> Karan.
>
>
>
> On Mon, Jul 3, 2017 at 6:18 AM, Karan karan <karan7...@gmail.com
> <mailto:karan7...@gmail.com>> wrote:
> Hi,
>
> I'm trying to set a specific cipher in the ('ECDHE-ECDSA-AES128-GCM-SHA256')
> the cipher list using the API: set_cipher_list but im getting the following
> error :
>
> kjoshi@ubuntu64dev:~/openssl_playground$ python test_ex.py
> -----------------------------------
> connected ('192.168.152.132', 443)
> Traceback (most recent call last):
> File "test_ex.py", line 83, in <module>
> main()
> File "test_ex.py", line 65, in main
> cont, initial_session, ssl_conn, tcp_conn = create_ssl_connection()
> File "test_ex.py", line 25, in create_ssl_connection
> cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256')
> File "build/bdist.linux-x86_64/egg/OpenSSL/SSL.py", line 975, in
> set_cipher_list
> File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 67, in
> openssl_assert
> File "build/bdist.linux-x86_64/egg/OpenSSL/_util.py", line 54, in
> exception_from_error_queue
> OpenSSL.SSL.Error: [('SSL routines', 'SSL_CTX_set_cipher_list', 'no cipher
> match')]
>
>
> Below is the code that i have:
>
> cont = Context(TLSv1_2_METHOD)
> #cont.set_cipher_list('0xc00e')
> #cont.set_cipher_list('ECDHE+ECDSA+AESGCM+SHA256')
> #cont.set_cipher_list('ECDHE-ECDSA-AES128-GCM-SHA256')
> cont.set_cipher_list('ECDHE+ECDSA+AES128+GCM+SHA256')
> client_ssl = Connection(cont, client)
> client_ssl.set_connect_state()
> client_ssl.do_handshake()
> session_ref = client_ssl.get_session()
>
>
> As seen above i tried numerous combination of word separators (_,-,+) but
> nothing seemed to have helped.
>
> I would appreciate if someone could please let me know on the usage of
> this.I'm sure there must be a way of sending a specific cipher.
> I'm performing a test on my local apache server.
>
> Thanks,
> Karan.
>
>
> _______________________________________________
> Cryptography-dev mailing list
> Cryptography-dev@python.org
> https://mail.python.org/mailman/listinfo/cryptography-dev
_______________________________________________
Cryptography-dev mailing list
Cryptography-dev@python.org
https://mail.python.org/mailman/listinfo/cryptography-dev
