RE: ECC handhake failure

Fri, 19 Jul 2013 05:42:52 -0700 

On 2013-07-19 04:01, Lukas Tribus wrote:

I suspect the issue lies somewhere in the static build of openssl, but
since I followed the doc and didn't add anything funky, I'm not sure
what to look at next...



First thing I would do is to try OpenSSL stable, really. Even if the 
client
correctly works with ECDHE, it doesn't mean it fully works in all 
conditions.


Yep. You were right. I tried with the latest stable openssl, and it worked.


    
-------------------------------------------------------------------------

    $ ./CiphersScan.sh <target>:8443 -v
    prio  ciphersuite
    1     ECDHE-RSA-AES256-GCM-SHA384
    2     ECDHE-RSA-AES128-GCM-SHA256
    3     ECDHE-RSA-RC4-SHA
    4     DHE-RSA-AES256-GCM-SHA384
    5     DHE-RSA-AES128-GCM-SHA256
    6     ECDHE-RSA-AES256-SHA384
    7     ECDHE-RSA-AES256-SHA
    8     ECDHE-RSA-AES128-SHA256
    9     ECDHE-RSA-AES128-SHA
    10    RC4-SHA
    11    DHE-RSA-AES256-SHA256
    12    DHE-RSA-AES256-SHA
    13    DHE-RSA-CAMELLIA256-SHA
    14    AES256-GCM-SHA384
    15    AES256-SHA256
    16    AES256-SHA
    17    CAMELLIA256-SHA
    18    DHE-RSA-AES128-SHA256
    19    DHE-RSA-AES128-SHA
    20    DHE-RSA-CAMELLIA128-SHA
    21    AES128-GCM-SHA256
    22    AES128-SHA256
    23    AES128-SHA
    24    CAMELLIA128-SHA

    
-------------------------------------------------------------------------




    
-------------------------------------------------------------------------

    # ./bin/haproxy -vv
    HA-Proxy version 1.5-dev19-12 2013/07/06
    Copyright 2000-2013 Willy Tarreau <w...@1wt.eu>

    Build options :
      TARGET  = linux2628
      CPU     = generic
      CC      = gcc
      CFLAGS  = -O2 -g -fno-strict-aliasing
      OPTIONS = USE_OPENSSL=1 USE_STATIC_PCRE=1

    Default settings :

      maxconn = 2000, bufsize = 16384, maxrewrite = 8192, maxpollevents = 
200


    Encrypted password support via crypt(3): yes
    Built without zlib support (USE_ZLIB not set)
    Compression algorithms supported : identity
    Built with OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
    Running on OpenSSL version : OpenSSL 1.0.1e 11 Feb 2013
    OpenSSL library supports TLS extensions : yes
    OpenSSL library supports SNI : yes
    OpenSSL library supports prefer-server-ciphers : yes
    Built with PCRE version : 8.32 2012-11-30
    PCRE library supports JIT : no (USE_PCRE_JIT not set)

    Built with transparent proxy support using: IP_TRANSPARENT 
IPV6_TRANSPARENT IP_FREEBIND


    Available polling systems :
          epoll : pref=300,  test result OK
           poll : pref=200,  test result OK
         select : pref=150,  test result OK
    Total: 3 (3 usable), will use epoll.

    
-------------------------------------------------------------------------




Thanks for the help!

--
Julien Vehent
(307) 363-2101
http://jve.linuxwall.info























					Reply via email to