Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-14 Thread Walter H.
On 14.12.2013 00:00, Dr. Stephen Henson wrote: How are you disabling RSA key exchange? by setting all ciphers beginning with RSA to no in FF If you disable RSA for authentication too you'll hit problems if you don't have a non-RSA certificate. So for example: ECDHE-ECDSA-3DES-EDE-SHA needs a

RE: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-13 Thread Dave Thompson
> From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Walter H. > The server is capable of ciphers DHE-* and others; > the list is quite longer than the avaiable ciphers of the client ..., > so I think this is quite strange ... > > openssl ciphers -V >

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-13 Thread Dr. Stephen Henson
On Fri, Dec 13, 2013, Walter H. wrote: > On 13.12.2013 21:16, andrew cooke wrote: > >well, i realised i couldn't answer the question seriously... what is > >ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to > >google chrome and firefox accepting it (a grep of openssl 1.0.

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-13 Thread andrew cooke
well, not really, because in practice the name has to match, so you are stuck (as the earlier answer says). i guess the answer is somewhere in the nss code... andrew On Fri, Dec 13, 2013 at 10:04:52PM +0100, Walter H. wrote: > On 13.12.2013 21:16, andrew cooke wrote: > >well, i realised i cou

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-13 Thread Walter H.
On 13.12.2013 21:16, andrew cooke wrote: well, i realised i couldn't answer the question seriously... what is ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to google chrome and firefox accepting it (a grep of openssl 1.0.1e fails to find it). does any server actually p

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-13 Thread andrew cooke
well, i realised i couldn't answer the question seriously... what is ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to google chrome and firefox accepting it (a grep of openssl 1.0.1e fails to find it). does any server actually provide it? if so, what mode does it use (

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-13 Thread Erwann Abalea
Don't regret it, it wasn't that bad ;) -- Erwann ABALEA Le 13/12/2013 20:39, andrew cooke a écrit : sorry, that was a bad joke i now regret sending. andrew On Fri, Dec 13, 2013 at 04:01:23PM -0300, Andrew Cooke wrote: it dpends how many characters differ when sorted. in this case: ECDHE-EC

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-13 Thread andrew cooke
sorry, that was a bad joke i now regret sending. andrew On Fri, Dec 13, 2013 at 04:01:23PM -0300, Andrew Cooke wrote: > > it dpends how many characters differ when sorted. > > in this case: > > ECDHE-ECDSA-DES-CBC3-SHA -> 3AABDDDHHSSS >* *** **

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-13 Thread andrew cooke
it dpends how many characters differ when sorted. in this case: ECDHE-ECDSA-DES-CBC3-SHA -> 3AABDDDHHSSS * *** ** ECDHE-ECDSA-3DES-EDE-SHA -> 3AACCEEHHSSS you can see (marked by *) that 6 characters don't match. now 6 is a triangular

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-13 Thread Erwann Abalea
Le 13/12/2013 19:30, Walter H. a écrit : On 12.12.2013 14:16, Erwann Abalea wrote: It's not strange. You removed the RSA-* from client side, the result is that the server can't match anything in common between what the client proposed and what the server accepts. The error you get has been sen

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-13 Thread Walter H.
On 12.12.2013 14:16, Erwann Abalea wrote: It's not strange. You removed the RSA-* from client side, the result is that the server can't match anything in common between what the client proposed and what the server accepts. The error you get has been sent by the server. The server is capable

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-12 Thread Erwann Abalea
It's not strange. You removed the RSA-* from client side, the result is that the server can't match anything in common between what the client proposed and what the server accepts. The error you get has been sent by the server. -- Erwann ABALEA Le 11/12/2013 22:34, Walter H. a écrit : Hello,

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-11 Thread Walter H.
Hello, Thanks for your reply; Very strange in FF when I disable the use of the RSA-* Ciphersuites in FF, then I get the following error Secure Connection failed Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) the certificat

Re: [openssl-users] Somewhat conflicting configuration and strange behaviour

2013-12-11 Thread Erwann Abalea
Bonjour, The certificate specifies "digitalSignature" as its sole key usage. That means the certified key can only be used to sign data, and not perform any decrypt operation. If your server+client are negotiating a (EC)DHE-RSA-* ciphersuite, that's OK because the server's RSA private key wil