RE: cipher list experiments - what's preventing ECDHE?

Thu, 26 Jun 2014 06:57:37 -0700 

Thanks Jeff for your answers also.    I got 1.0.1h from openssl.org/downloads 
with the associated MD5 and SHA checksums.   TLS 1.2 is definitely enabled 
because I get it with the 3rd cipher suite. 

We don't do any EC set in our code like what I see in s_server.c.    I think 
that's our issue. 

Dave 

+-+-+-+-+-+-+-+-+- 
Dave McLellan, Enterprise Storage Software Engineering, EMC Corporation, 176 
South St.
Mail Stop 176-V1 1/P-36, Hopkinton, MA 01749
Office:    508-249-1257, FAX: 508-497-8027, Mobile:   978-500-2546, 
[email protected]
+-+-+-+-+-+-+-+-+-


-----Original Message-----
From: [email protected] [mailto:[email protected]] 
On Behalf Of Jeffrey Walton
Sent: Thursday, June 26, 2014 9:31 AM
To: OpenSSL Users List
Subject: Re: cipher list experiments - what's preventing ECDHE?

On Thu, Jun 26, 2014 at 8:51 AM, mclellan, dave <[email protected]> wrote:
> I’m doing some experimentation with cipher lists using OpenSSL 1.0.1h.     I
> have two peers using the same libraries, and both enabled with these 
> suites in the call to SSL_set_cipher_list():
>
>
> 1.       ECDHE-ECDSA-AES128-GCM-SHA256
>
> 2.       ECDHE-RSA-AES128-GCM-SHA256
>
> 3.       DHE-RSA-AES128-GCM-SHA256
>
>
> These are shown by the ‘openssl ciphers’ command using the same libraries.
> I have specified each of these individually to try out each one 
> independently of the others.
>
>
> Neither of the ECDHE ciphers (1 and 2 above) are chosen by my two 
> peers, and the result is ‘no shared cipher’ when either of these is specified.
>
>
> Cipher 3 is chosen successfully, so it seems that the failing 
> component is the elliptic curve modifier of DHE.
>
The server needs an ECDSA key and certifcate to provide ECDSA. Its not clear if 
you have it.

I'm not sure why ECDHE-RSA-AES128-GCM-SHA256 is not selected. Perhaps
TLS1.2 is not available? Lack of TLS 1.2 would explain both
ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-GCM-SHA256. I know Ubuntu 
*prior* to 14 disabled it out of the box (via OPENSSL_NO_TLS1_2_CLIENT). And it 
was disabled by default in Java 7 and earlier.

Where did you get your copy of 1.0.1h? Is it distro provided? Are you 
accidentally linking against a distro provided OpenSSL?

Jeff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [email protected]
:��I"Ϯ��r�m����
(����Z+�K�+����1���x��h����[�z�(����Z+���f�y�������f���h��)z{,���

Reply via email to