>>> But that is not the command I suggested you to use, is it? Well, yes, you command is "openssl s_client", would you mind give me full command to list all the cipher-suite for NSS.
On Fri, Feb 26, 2016 at 11:37 AM, cnm marketing <cnn.market...@gmail.com> wrote: > >>> But that is not the command I suggested you to use, is it? > Well, yes, you command is "openssl s_client", would you mind give me full > command to list all the cipher-suite for NSS. > > On Fri, Feb 26, 2016 at 9:52 AM, cnm marketing <cnn.market...@gmail.com> > wrote: > >> >>> But that is not the command I suggested you to use, is it? >> Well, yes, you command is "openssl s_client", would you mind give me >> full command to list all the NSS. >> >> On Fri, Feb 26, 2016 at 9:37 AM, Kamil Dudka <kdu...@redhat.com> wrote: >> >>> On Friday 26 February 2016 09:29:12 cnm marketing wrote: >>> > The result of cipher-suite that I got from the server as following and >>> none >>> > of them shows up in the table - >>> > >>> > command used to get cipher-suite on the server: openssl ciphers >>> 'ALL:eNULL' >>> >>> But that is not the command I suggested you to use, is it? >>> >>> It is not clear to me how such a list will help you to debug the issue. >>> >>> Kamil >>> >>> > {"ECDHE-RSA-AES256-GCM-SHA384", >>> > "ECDHE-ECDSA-AES256-GCM-SHA384", >>> > "ECDHE-RSA-AES256-SHA384", >>> > "ECDHE-ECDSA-AES256-SHA384", >>> > "ECDHE-RSA-AES256-SHA", >>> > "ECDHE-ECDSA-AES256-SHA", >>> > "DHE-DSS-AES256-GCM-SHA384", >>> > "DHE-RSA-AES256-GCM-SHA384", >>> > "DHE-RSA-AES256-SHA256", >>> > "DHE-DSS-AES256-SHA256", >>> > "DHE-RSA-AES256-SHA", >>> > "DHE-DSS-AES256-SHA", >>> > "DHE-RSA-CAMELLIA256-SHA", >>> > "DHE-DSS-CAMELLIA256-SHA", >>> > "AECDH-AES256-SHA", >>> > "ADH-AES256-GCM-SHA384", >>> > "ADH-AES256-SHA256", >>> > "ADH-AES256-SHA", >>> > "ADH-CAMELLIA256-SHA", >>> > "ECDH-RSA-AES256-GCM-SHA384", >>> > "ECDH-ECDSA-AES256-GCM-SHA384", >>> > "ECDH-RSA-AES256-SHA384", >>> > "ECDH-ECDSA-AES256-SHA384", >>> > "ECDH-RSA-AES256-SHA", >>> > "ECDH-ECDSA-AES256-SHA", >>> > "AES256-GCM-SHA384", >>> > "AES256-SHA256", >>> > "AES256-SHA", >>> > "CAMELLIA256-SHA", >>> > "PSK-AES256-CBC-SHA", >>> > "ECDHE-RSA-AES128-GCM-SHA256", >>> > "ECDHE-ECDSA-AES128-GCM-SHA256", >>> > "ECDHE-RSA-AES128-SHA256", >>> > "ECDHE-ECDSA-AES128-SHA256", >>> > "ECDHE-RSA-AES128-SHA", >>> > "ECDHE-ECDSA-AES128-SHA", >>> > "DHE-DSS-AES128-GCM-SHA256", >>> > "DHE-RSA-AES128-GCM-SHA256", >>> > "DHE-RSA-AES128-SHA256", >>> > "DHE-DSS-AES128-SHA256", >>> > "DHE-RSA-AES128-SHA", >>> > "DHE-DSS-AES128-SHA", >>> > "ECDHE-RSA-DES-CBC3-SHA", >>> > "ECDHE-ECDSA-DES-CBC3-SHA", >>> > "DHE-RSA-SEED-SHA", >>> > "DHE-DSS-SEED-SHA", >>> > "DHE-RSA-CAMELLIA128-SHA", >>> > "DHE-DSS-CAMELLIA128-SHA", >>> > "EDH-RSA-DES-CBC3-SHA", >>> > "EDH-DSS-DES-CBC3-SHA", >>> > "AECDH-AES128-SHA", >>> > "ADH-AES128-GCM-SHA256", >>> > "ADH-AES128-SHA256", >>> > "ADH-AES128-SHA", >>> > "AECDH-DES-CBC3-SHA", >>> > "ADH-SEED-SHA", >>> > "ADH-CAMELLIA128-SHA", >>> > "ADH-DES-CBC3-SHA", >>> > "ECDH-RSA-AES128-GCM-SHA256", >>> > "ECDH-ECDSA-AES128-GCM-SHA256", >>> > "ECDH-RSA-AES128-SHA256", >>> > "ECDH-ECDSA-AES128-SHA256", >>> > "ECDH-RSA-AES128-SHA", >>> > "ECDH-ECDSA-AES128-SHA", >>> > "ECDH-RSA-DES-CBC3-SHA", >>> > "ECDH-ECDSA-DES-CBC3-SHA", >>> > "AES128-GCM-SHA256", >>> > "AES128-SHA256", >>> > "AES128-SHA", >>> > "SEED-SHA", >>> > "CAMELLIA128-SHA", >>> > "DES-CBC3-SHA", >>> > "IDEA-CBC-SHA", >>> > "DES-CBC3-MD5", >>> > "IDEA-CBC-MD5", >>> > "RC2-CBC-MD5", >>> > "PSK-AES128-CBC-SHA", >>> > "PSK-3DES-EDE-CBC-SHA", >>> > "KRB5-IDEA-CBC-SHA", >>> > "KRB5-DES-CBC3-SHA", >>> > "KRB5-IDEA-CBC-MD5", >>> > "KRB5-DES-CBC3-MD5", >>> > "ECDHE-RSA-RC4-SHA", >>> > "ECDHE-ECDSA-RC4-SHA", >>> > "AECDH-RC4-SHA", >>> > "ADH-RC4-MD5", >>> > "ECDH-RSA-RC4-SHA", >>> > "ECDH-ECDSA-RC4-SHA", >>> > "RC4-SHA", >>> > "RC4-MD5", >>> > "RC4-MD5", >>> > "PSK-RC4-SHA", >>> > "KRB5-RC4-SHA", >>> > "KRB5-RC4-MD5", >>> > "EDH-RSA-DES-CBC-SHA", >>> > "EDH-DSS-DES-CBC-SHA", >>> > "ADH-DES-CBC-SHA", >>> > "DES-CBC-SHA", >>> > "DES-CBC-MD5", >>> > "KRB5-DES-CBC-SHA", >>> > "KRB5-DES-CBC-MD5", >>> > "EXP-EDH-RSA-DES-CBC-SHA", >>> > "EXP-EDH-DSS-DES-CBC-SHA", >>> > "EXP-ADH-DES-CBC-SHA", >>> > "EXP-DES-CBC-SHA", >>> > "EXP-RC2-CBC-MD5", >>> > "EXP-RC2-CBC-MD5", >>> > "EXP-KRB5-RC2-CBC-SHA", >>> > "EXP-KRB5-DES-CBC-SHA", >>> > "EXP-KRB5-RC2-CBC-MD5", >>> > "EXP-KRB5-DES-CBC-MD5", >>> > "EXP-ADH-RC4-MD5", >>> > "EXP-RC4-MD5", >>> > "EXP-RC4-MD5", >>> > "EXP-KRB5-RC4-SHA", >>> > "EXP-KRB5-RC4-MD5", >>> > "ECDHE-RSA-NULL-SHA", >>> > "ECDHE-ECDSA-NULL-SHA", >>> > "AECDH-NULL-SHA", >>> > "ECDH-RSA-NULL-SHA", >>> > "ECDH-ECDSA-NULL-SHA", >>> > "NULL-SHA256", >>> > "NULL-SHA", >>> > "NULL-MD5"} >>> > >>> > On Thu, Feb 25, 2016 at 3:41 PM, Kamil Dudka <kdu...@redhat.com> >>> wrote: >>> > > On Thursday, February 25, 2016 14:38:55 cnm marketing wrote: >>> > > > Sorry, the server is inaccessible from outside. >>> > > > >>> > > > > Please check which cipher-suite exactly is used in the working >>> case >>> > > > >>> > > > Not sure whether I got what you're saying, do you mean I need to >>> obtains >>> > > > the cipher-suite for NSS on that host. Do you know the command for >>> > > > CentOS >>> > > > for this? >>> > > >>> > > You can obtain the info using the command 'openssl s_client'. >>> > > >>> > > Kamil >>> > > >>> > > > Thanks, >>> > > > >>> > > > On Thu, Feb 25, 2016 at 11:59 AM, Kamil Dudka <kdu...@redhat.com> >>> wrote: >>> > > > > On Thursday 25 February 2016 11:12:20 cnm marketing wrote: >>> > > > > > Yes, we tried both with no luck - >>> > > > > > >>> > > > > > CURLOPT_SSLVERSION: CURL_SSLVERSION_DEFAULT, >>> CURL_SSLVERSION_TLSv1, >>> > > > > > CURL_SSLVERSION_SSLv2 >>> > > > > > and CURL_SSLVERSION_SSLv3 >>> > > > > > CURLOPT_SSL_CIPHER_LIST: tried all the cipher returned from >>> "openssl >>> > > > > > ciphers 'ALL:eNULL'" >>> > > > > >>> > > > > The cipher-suite identifiers used by OpenSSL are incompatible >>> with the >>> > > > > identifiers used by NSS. Please check which cipher-suite >>> exactly is >>> > > >>> > > used >>> > > >>> > > > > in the working case and try to look it up in the following table: >>> > > > > >>> > > > > https://github.com/curl/curl/blob/64fa3b8d/lib/vtls/nss.c#L104 >>> > > > > >>> > > > > Is the server in question available anywhere for testing? >>> > > > > >>> > > > > Kamil >>> > > > > >>> > > > > > In addition, we are using the following nss-softokn-freebl >>> > > > > > [root]# rpm -qa |grep nss-softokn >>> > > > > > nss-softokn-3.14.3-10.el6_5.x86_64 >>> > > > > > nss-softokn-freebl-3.14.3-3.el6_4.i686 >>> > > > > > nss-softokn-freebl-3.14.3-3.el6_4.x86_64 >>> > > > > > >>> > > > > > On Thu, Feb 25, 2016 at 10:00 AM, Kamil Dudka < >>> kdu...@redhat.com> >>> > > >>> > > wrote: >>> > > > > > > On Thursday 25 February 2016 09:15:37 cnm marketing wrote: >>> > > > > > > > Hi, >>> > > > > > > > >>> > > > > > > > We use two different ports to do libcurl operations on >>> "CentOS >>> > > > > >>> > > > > release >>> > > > > >>> > > > > > > 6.6 >>> > > > > > > >>> > > > > > > > (Final)". >>> > > > > > > > >>> > > > > > > > In an internal port A, with "CURLOPT_VERBOSE" on, we got >>> this >>> > > > > >>> > > > > message "* >>> > > > > >>> > > > > > > > Initializing NSS with certpath: sql:/etc/pki/nssdb" when >>> using >>> > > >>> > > url >>> > > >>> > > > > > > > "https://xxxx.aaa.com:portA", then program hangs. >>> However, it >>> > > >>> > > works >>> > > >>> > > > > if >>> > > > > >>> > > > > > > we >>> > > > > > > >>> > > > > > > > change "https" to "http". In addition, we try "openssl >>> s_client >>> > > > > >>> > > > > -cipher >>> > > > > >>> > > > > > > > ...." to get cipher information via port A, it fails >>> (timeout) >>> > > >>> > > for >>> > > >>> > > > > all >>> > > > > >>> > > > > > > the >>> > > > > > > >>> > > > > > > > cipher returned from "openssl ciphers 'ALL:eNULL' ....". >>> > > > > > > > >>> > > > > > > > In another port B, it works for both "https" and "http". >>> When >>> > > >>> > > using >>> > > >>> > > > > > > openssl >>> > > > > > > >>> > > > > > > > to get cipher info. it also works fine. >>> > > > > > > > >>> > > > > > > > >>> > > > > > > > Thanks, >>> > > > > > > > cnm >>> > > > > > > >>> > > > > > > Have you tried to switch the SSL version and/or enabled >>> > > >>> > > cipher-suites? >>> > > >>> > > > > > > OpenSSL and NSS have different default configuration from >>> each >>> > > >>> > > other. >>> > > >>> > > > > > > Please have a look at the following options: >>> > > > > > > >>> > > > > > > https://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html >>> > > > > > > https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html >>> > > > > > > >>> > > > > > > Kamil >>> >>> >> >
------------------------------------------------------------------- List admin: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html