TCS Confidential Hi Paolo,
I think the openssl equivalent of the cipher we are using is ECDHE-RSA-AES256-SHA384 only. We tried the way you suggested but openssl doesn’t seem to be accepting the cipher in that format. Following is the error we get: openssl s_client cipher 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384' -CAfile <********> -connect ****:**** Error with command: "-cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" 140662913861264:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1383: I guess we are giving the cipher suite name in a format that openssl is expecting only when running it as client. Thanks Hari TCS Confidential -----Original Message----- From: Paolo Elefante <paolo.elefa...@gmail.com> Sent: Tuesday, March 28, 2023 2:31 PM To: user@thrift.apache.org Subject: Re: Query on cipher setting on thrift sockets TSSLSocketFactory "External email. Open with Caution" Hi Hari, I would suggest to check the correct suite name in the Openssl documentation https://www.openssl.org/docs/man1.0.2/man1/ciphers.html Then you can test the TLS handshake with your server using the command openssl s_client -cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -CAfile <any-certificate-needed> -connect <ip:port> BR, Paolo On Sat, 18 Mar 2023 at 17:46, Hari venkata ramana <hariram...@gmail.com> wrote: > Hi, > > Yes, the server is implemented in C++. We do have a plan to upgrade to > latest revision of thrift, if in case this is something that is fixed > in later releases too. > > However its not clear to us what can make this fail and so are looking > for some pointers to find the rootcause. > > As indicated in the link shared in my post, there was a query on > whether thrift supports Diffie Hellman ciphers for which the answers > given were not clearly pointing out if this is a drawback though. > > > Thanks > > Hari >
