hi Jeff, Thanks for the response, but I'm still having trouble.
As for TLSv1.2: With the OS version of openssl, my default connection looks to be TLSv1.1 However, if I add -tls1_2 to the call, I get this: SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Should this be consider accurate (or should I verify with wireshark?)? I compiled the openssl-1.0.2-beta and it's default connections looks to be TLSv1.2 However, I still fail to connect with any ECDHE-ECDSA. One interesting point is that mail.google.com has at least two certificates one with ECDHE-RSA and one with ECDHE-ECDSA. When I connect to mail.google.com in the browser, I get ECDHE-ECDSA. I can also see both certs with gnutls-cli. I made a test certificate using ECDHE-ECDSA so I'm guessing that means the capability is compiled in. Cheers, -Tom On Wed, Mar 26, 2014 at 6:43 PM, Jeffrey Walton <noloa...@gmail.com> wrote: > > I'm running ubuntu (12.04, I think) on a VM on a Macbook Air using > VMware. I > > tried the default ubuntu SSL, 1.0.1f, 1.0.1c and 1.0.2beta1, no luck in > any > > case. > > ... > > Any ideas why I can't do that with openssl? > > Ubuntu disables TLS 1.1 and 1.2 in their version of OpenSSL. See, for > example, OpenSSL downlevel version is 1.0.0, and does not support TLS > 1.2, https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1256576. > > You should be able to connect with -tls1; or build/install OpenSSL > yourself and use the one installed at /usr/local/ssl/bin/openssl. > > > openssl s_client -connect mail.google.com:443 -tls1_2 -cipher > > You can also use -CAfile option for s_client to avoid the verify > error. Use Google's Google Internet Authority G2 at > http://pki.google.com/. > > Jeff > > On Wed, Mar 26, 2014 at 4:14 PM, Thomas Montroy <tom.mont...@gmail.com> > wrote: > > hi All, > > > > I've been trying to make ECDHE-ECDSA connections with openssl and have > been > > having trouble. > > > > > > openssl s_client -connect mail.google.com:443 -tls1_2 > > This connects with cipher = ECDHE-RSA-AES128-GCM-SHA256 > > > > According to Google-Chrome, the cipher for my web-based gmail connection > > should be: > > ECDHE-ECDSA-AES128-GCM-SHA256 > > > > If I try to make that connection > > > > openssl s_client -connect mail.google.com:443 -tls1_2 -cipher > > ECDHE-ECDSA-AES128-GCM-SHA256 > > > > I get: > > > > CONNECTED(00000003) > > 139818747868832:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert > > handshake failure:s3_pkt.c:1440:SSL alert number 40 > > 139818747868832:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl > handshake > > failure:s3_pkt.c:617: > > > > which looks like no connection. > > > > I'm running ubuntu (12.04, I think) on a VM on a Macbook Air using > VMware. I > > tried the default ubuntu SSL, 1.0.1f, 1.0.1c and 1.0.2beta1, no luck in > any > > case. > > > > I downloaded and compiled the latest version of gnutls: > > > > This gives an ECDHE-ECDSA connection > > gnutls-cli --priority=NORMAL:-KX-ALL:+ECDHE-ECDSA mail.google.com > > > > This gives an ECDHE-RSA > > gnutls-cli --priority=NORMAL:-KX-ALL:+ECDHE-RSA mail.google.com > > > > So I'm able to see both types of certificates for mail.google.com with > > gnutls. > > > > Any ideas why I can't do that with openssl? > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >