hi Jeff,
Thanks for the response, but I'm still having trouble.
As for TLSv1.2:
With the OS version of openssl, my default connection looks to be TLSv1.1
However, if I add -tls1_2 to the call, I get this:
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Should this be consider accurate (or should I verify with wireshark?)?
I compiled the openssl-1.0.2-beta and it's default connections looks to be
TLSv1.2 However, I still fail to connect with any ECDHE-ECDSA.
One interesting point is that mail.google.com has at least two certificates
one with ECDHE-RSA and one with ECDHE-ECDSA. When I connect to
mail.google.com in the browser, I get ECDHE-ECDSA. I can also see both
certs with gnutls-cli.
I made a test certificate using ECDHE-ECDSA so I'm guessing that means the
capability is compiled in.
Cheers,
-Tom
On Wed, Mar 26, 2014 at 6:43 PM, Jeffrey Walton <noloa...@gmail.com> wrote:
> > I'm running ubuntu (12.04, I think) on a VM on a Macbook Air using
> VMware. I
> > tried the default ubuntu SSL, 1.0.1f, 1.0.1c and 1.0.2beta1, no luck in
> any
> > case.
> > ...
> > Any ideas why I can't do that with openssl?
>
> Ubuntu disables TLS 1.1 and 1.2 in their version of OpenSSL. See, for
> example, OpenSSL downlevel version is 1.0.0, and does not support TLS
> 1.2, https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1256576.
>
> You should be able to connect with -tls1; or build/install OpenSSL
> yourself and use the one installed at /usr/local/ssl/bin/openssl.
>
> > openssl s_client -connect mail.google.com:443 -tls1_2 -cipher
>
> You can also use -CAfile option for s_client to avoid the verify
> error. Use Google's Google Internet Authority G2 at
> http://pki.google.com/.
>
> Jeff
>
> On Wed, Mar 26, 2014 at 4:14 PM, Thomas Montroy <tom.mont...@gmail.com>
> wrote:
> > hi All,
> >
> > I've been trying to make ECDHE-ECDSA connections with openssl and have
> been
> > having trouble.
> >
> >
> > openssl s_client -connect mail.google.com:443 -tls1_2
> > This connects with cipher = ECDHE-RSA-AES128-GCM-SHA256
> >
> > According to Google-Chrome, the cipher for my web-based gmail connection
> > should be:
> > ECDHE-ECDSA-AES128-GCM-SHA256
> >
> > If I try to make that connection
> >
> > openssl s_client -connect mail.google.com:443 -tls1_2 -cipher
> > ECDHE-ECDSA-AES128-GCM-SHA256
> >
> > I get:
> >
> > CONNECTED(00000003)
> > 139818747868832:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
> > handshake failure:s3_pkt.c:1440:SSL alert number 40
> > 139818747868832:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl
> handshake
> > failure:s3_pkt.c:617:
> >
> > which looks like no connection.
> >
> > I'm running ubuntu (12.04, I think) on a VM on a Macbook Air using
> VMware. I
> > tried the default ubuntu SSL, 1.0.1f, 1.0.1c and 1.0.2beta1, no luck in
> any
> > case.
> >
> > I downloaded and compiled the latest version of gnutls:
> >
> > This gives an ECDHE-ECDSA connection
> > gnutls-cli --priority=NORMAL:-KX-ALL:+ECDHE-ECDSA mail.google.com
> >
> > This gives an ECDHE-RSA
> > gnutls-cli --priority=NORMAL:-KX-ALL:+ECDHE-RSA mail.google.com
> >
> > So I'm able to see both types of certificates for mail.google.com with
> > gnutls.
> >
> > Any ideas why I can't do that with openssl?
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
