On Tuesday, May 17, 2016 14:45:50 Oliver Graute wrote: > Hello, > > I found a miss match in the documentation of ciphers for curl and > modnss. I'm not sure who is wrong here or if its simple lack in > documentation of ciphersuites. So I cross post it. > > I followed the curl doc "CURLOPT_SSL_CIPHER_LIST" explained here > https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html > > and then I followed this hint: > > For NSS, valid examples of cipher lists include 'rsa_rc4_128_md5', > ´rsa_aes_128_sha´, etc. With NSS you don't add/remove ciphers. If one uses > this option then all known ciphers are disabled and only those passed in > are enabled. > > You'll find more details about the NSS cipher lists on this URL: > > http://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directi > ves > > So if I'm using the ciphers in curl like specified there: > > <li>ecdhe_ecdsa_aes_128_sha_256</li> > > so here is no gcm and cbc mentioned. > > in curl I got: > Unknown cipher in list: ecdhe_ecdsa_aes_128_sha_256 > > with gcm or with cbc in the cipher string it is working fine: > > ecdhe_ecdsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_cbc_sha_256 > > But this to nowhere specified. > > Is this a wrong documentation or is this inaccurate in curl or nss?
I am not sure how the "cbc" substring disappeared from the cipher string that mod_nss uses for TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. It seems to be a mistake. The best way to avoid troubles like this would be to move the table mapping cipher-suite names to the actual cipher-suites to NSS itself. There is an upstream bug requesting exactly that: https://bugzilla.mozilla.org/480174 Kamil > Best regards, > > Oliver > ------------------------------------------------------------------- > List admin: https://cool.haxx.se/list/listinfo/curl-library > Etiquette: https://curl.haxx.se/mail/etiquette.html ------------------------------------------------------------------- List admin: https://cool.haxx.se/list/listinfo/curl-library Etiquette: https://curl.haxx.se/mail/etiquette.html
