On Monday 09 March 2015 13:37:20 Alessandro Ghedini wrote: > Looks like you are right. I think I looked into an older firefox release and > missed a whole bunch of other checks (like the fact that firefox now only > allows ECDHE and AES GCM). > > I'll update the patch shortly and also add comments.
That would be cool. Thanks! > It seems I'm having > some problem withe nss and ECDHE though: I updated my server's > configuration to only > allow ECDHE but when I use curl built with nss I get: > > % src/curl https://ghedini.me -v > > * STATE: INIT => CONNECT handle 0xe2f658; line 1046 (connection #-5000) > > * Rebuilt URL to: https://ghedini.me/ > > * Added connection 0. The cache now contains 1 members > > * STATE: CONNECT => WAITRESOLVE handle 0xe2f658; line 1083 (connection #0) > > * Trying 149.154.152.214... > > * STATE: WAITRESOLVE => WAITCONNECT handle 0xe2f658; line 1163 (connection > > #0) * Connected to ghedini.me (149.154.152.214) port 443 (#0) > > * STATE: WAITCONNECT => SENDPROTOCONNECT handle 0xe2f658; line 1202 > > (connection #0) * Marked for [keep alive]: HTTP default > > * Initializing NSS with certpath: none > > * CAfile: /etc/ssl/certs/ca-certificates.crt > > > > CApath: none > > > > * STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0xe2f658; line 1216 > > (connection #0) * NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP) > > * Cannot communicate securely with peer: no common encryption > > algorithm(s). > > * Marked for [closure]: Failed HTTPS connection > > * Closing connection 0 > > * The cache now contains 0 members > > * Expire cleared > > curl: (35) Cannot communicate securely with peer: no common encryption > > algorithm(s). > Any idea on what may be causing this? Using chromium built against the same > libnss works fine, so maybe it's a curl problem? The nss version is 3.17.2. I guess you need to enable the cipher-suites on client's side because NSS does not enable all of them by default: https://bugzilla.redhat.com/1185708 Kamil ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
