Re: [Mod_nss-list] NSS cipher list in CURLOPT_SSL_CIPHER_LIST

Tue, 17 May 2016 07:16:48 -0700 

Kamil Dudka wrote:

On Tuesday, May 17, 2016 14:45:50 Oliver Graute wrote:

Hello,

I found a miss match in the documentation of ciphers for curl and
modnss.  I'm not sure who is wrong here or if its simple lack in
documentation of ciphersuites. So I cross post it.

I followed the curl doc "CURLOPT_SSL_CIPHER_LIST" explained here
https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html

and then I followed this hint:

For NSS, valid examples of cipher lists include 'rsa_rc4_128_md5',
´rsa_aes_128_sha´, etc. With NSS you don't add/remove ciphers. If one uses
this option then all known ciphers are disabled and only those passed in
are enabled.

You'll find more details about the NSS cipher lists on this URL:

http://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directi
ves

So if I'm using the ciphers in curl like specified there:

<li>ecdhe_ecdsa_aes_128_sha_256</li>

so here is no gcm and cbc mentioned.

in curl I got:
Unknown cipher in list: ecdhe_ecdsa_aes_128_sha_256

with gcm or with cbc in the cipher string it is working fine:

ecdhe_ecdsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_cbc_sha_256

But this to nowhere specified.

Is this a wrong documentation or is this inaccurate in curl or nss?


I am not sure how the "cbc" substring disappeared from the cipher string
that mod_nss uses for TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256.  It seems to
be a mistake.
It didn't disappear, it was never there. I guess I didn't maintain the traditional cipher naming pattern when adding it. 


The best way to avoid troubles like this would be to move the table mapping
cipher-suite names to the actual cipher-suites to NSS itself.  There is an
upstream bug requesting exactly that:

https://bugzilla.mozilla.org/480174
Right, the bottom line is that there is no universal naming in NSS so the naming may be slightly different between different implementations. curl is so close to mod_nss because I used the mod_nss list at the time to bootstrap the curl list when I added NSS support. 

rob
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html

Reply via email to