hi Jeff,
Thanks for the response, but I'm still having trouble.
As for TLSv1.2:
With the OS version of openssl, my default connection looks to be TLSv1.1
However, if I add -tls1_2 to the call, I get this:
SSL-Session:
Protocol : TLSv1.2
Cipher: ECDHE-RSA-AES256-GCM-SHA384
Should this be consider accurate (or should I verify with wireshark?)?
I compiled the openssl-1.0.2-beta and it's default connections looks to be
TLSv1.2 However, I still fail to connect with any ECDHE-ECDSA.
One interesting point is that mail.google.com has at least two certificates
one with ECDHE-RSA and one with ECDHE-ECDSA. When I connect to
mail.google.com in the browser, I get ECDHE-ECDSA. I can also see both
certs with gnutls-cli.
I made a test certificate using ECDHE-ECDSA so I'm guessing that means the
capability is compiled in.
Cheers,
-Tom
On Wed, Mar 26, 2014 at 6:43 PM, Jeffrey Walton noloa...@gmail.com wrote:
I'm running ubuntu (12.04, I think) on a VM on a Macbook Air using
VMware. I
tried the default ubuntu SSL, 1.0.1f, 1.0.1c and 1.0.2beta1, no luck in
any
case.
...
Any ideas why I can't do that with openssl?
Ubuntu disables TLS 1.1 and 1.2 in their version of OpenSSL. See, for
example, OpenSSL downlevel version is 1.0.0, and does not support TLS
1.2, https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1256576.
You should be able to connect with -tls1; or build/install OpenSSL
yourself and use the one installed at /usr/local/ssl/bin/openssl.
openssl s_client -connect mail.google.com:443 -tls1_2 -cipher
You can also use -CAfile option for s_client to avoid the verify
error. Use Google's Google Internet Authority G2 at
http://pki.google.com/.
Jeff
On Wed, Mar 26, 2014 at 4:14 PM, Thomas Montroy tom.mont...@gmail.com
wrote:
hi All,
I've been trying to make ECDHE-ECDSA connections with openssl and have
been
having trouble.
openssl s_client -connect mail.google.com:443 -tls1_2
This connects with cipher = ECDHE-RSA-AES128-GCM-SHA256
According to Google-Chrome, the cipher for my web-based gmail connection
should be:
ECDHE-ECDSA-AES128-GCM-SHA256
If I try to make that connection
openssl s_client -connect mail.google.com:443 -tls1_2 -cipher
ECDHE-ECDSA-AES128-GCM-SHA256
I get:
CONNECTED(0003)
139818747868832:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
handshake failure:s3_pkt.c:1440:SSL alert number 40
139818747868832:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl
handshake
failure:s3_pkt.c:617:
which looks like no connection.
I'm running ubuntu (12.04, I think) on a VM on a Macbook Air using
VMware. I
tried the default ubuntu SSL, 1.0.1f, 1.0.1c and 1.0.2beta1, no luck in
any
case.
I downloaded and compiled the latest version of gnutls:
This gives an ECDHE-ECDSA connection
gnutls-cli --priority=NORMAL:-KX-ALL:+ECDHE-ECDSA mail.google.com
This gives an ECDHE-RSA
gnutls-cli --priority=NORMAL:-KX-ALL:+ECDHE-RSA mail.google.com
So I'm able to see both types of certificates for mail.google.com with
gnutls.
Any ideas why I can't do that with openssl?
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
