Are you certain that you configured the socket? If you can run the debugger, you should be able to drop a breakpoint in ssl3_SendClientHello and examine ss->cipherSuites. If that shows more than two entries with the enabled field equal to 1, you probably didn't correctly configure the socket.
On Tue, Jan 17, 2017 at 2:22 PM, George Wash <georgewas...@gmail.com> wrote: > Hello, > > Using NSS 3.19.1-18 & JSS 4.2.6-37 on RHEL7. > When using Mozilla JSS to create a client socket to a TLS server, I've > configured the socket to only use TLS_RSA_WITH_AES_256_CBC_SHA and > TLS_RSA_WITH_AES_128_CBC_SHA. > If I TCP dump the TLS Handshakes in the connection and inspect the cipher > suites presented in the TLS Client Hello, I see that my TLS client is > unconditionally asserting TLS_ECDHE_WITH_AES_256_GCM_SHA384 along with > various flavors of TLS_RSA_WITH_AES_256_X_SHA and > TLS_RSA_WITH_AES_128_X_SHA. Where is the TLS_ECDHE_WITH_AES_256_GCM_SHA384 > coming from? > > Has anyone seen this behavior before? > > Thanks > GW > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto