Hi We are running a thrift server TThreadPoolServer and we have a problem when we set the strong ciphers to TSSLSocketFactory.
When we set the following to TSSLSocketFactory::ciphers(string ciphers) ciphers = kEECDH:kEDH:kRSA:!kPSK:!aPSK:!aDSS:!aNULL:!NULL:!SEED:!3DES:!MD5:!RC4:!CAMELLIA:!SSLv3 we could see that openssl clients always uses one of following ciphers to negotiate with the server: AES128-SHA256 AES128-GCM-SHA256 AES256-SHA256 When we set the following: cipher = ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384 and use openssl client, the handshake fails with alert and reason 40 We understand that choice of selection of cipher by the server depends on the key exchange algorithm defined in the SSL certificates installed on the server. Our server has certificates using RSA and so we expect that in the second case above the server should finish the handshake with cipher ECDHE-RSA-AES256-SHA384. However we dont see this is happening. Questions: 1. We are using thrift 0.14.0..Any known limitation with this version of thrift? 2. Does thrift support Diffie Hellman ciphers for TLS? 3. How do we debug more on why the handshake is failing? Any pointers here would be helpful. We want to set strong ciphers like ECDHE-RSA-AES256-SHA384 to the SSL interface on server and have the openssl clients connect with that cipher and a successful handshake with our server. Thanks Hari
