Hari Venkata Ramana Addepalli <hariram...@gmail.com> 10:48 PM (1 minute ago) to user@thrift.apache.org Hi,
We got to the root cause of the issue. Looks like the version of openssl we are using is very old and ECDHE ciphers are not enabled by default. It requires to use SSL_CTX_set_ecdhe_auto() api to be called with the SSL context passed in order to enable these ciphers on the server. It works perfectly fine now after doing this call on the server. Thanks to all those who provided inputs for this case. Sent from Mail for Windows On Thu, Mar 30, 2023 at 10:48 PM Hari Venkata Ramana Addepalli < hariram...@gmail.com> wrote: > Hi, > > > > We got to the root cause of the issue. Looks like the version of openssl > we are using is very old and ECDHE ciphers are not enabled by default. It > requires to use SSL_CTX_set_ecdhe_auto() api to be called with the SSL > context passed in order to enable these ciphers on the server. It works > perfectly fine now after doing this call on the server. > > > > Thanks to all those who provided inputs for this case. > > > > Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for > Windows > > > > *From: *Hari Venkata Ramana Addepalli <hari.addepa...@tcs.com.invalid> > *Sent: *29 March 2023 12:09 > *To: *user@thrift.apache.org > *Subject: *RE: Query on cipher setting on thrift sockets TSSLSocketFactory > > > > TCS Confidential > > > > Hi Paolo, > > > > I think the openssl equivalent of the cipher we are using is > ECDHE-RSA-AES256-SHA384 only. We tried the way you suggested but openssl > doesn’t seem to be accepting the cipher in that format. Following is the > error we get: > > > > openssl s_client cipher 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384' -CAfile > <********> -connect ****:**** > > > > Error with command: "-cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384" > > 140662913861264:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no > cipher match:ssl_lib.c:1383: > > > > I guess we are giving the cipher suite name in a format that openssl is > expecting only when running it as client. > > > > Thanks > > Hari > > > > > > TCS Confidential > > > > -----Original Message----- > > From: Paolo Elefante <paolo.elefa...@gmail.com> > > Sent: Tuesday, March 28, 2023 2:31 PM > > To: user@thrift.apache.org > > Subject: Re: Query on cipher setting on thrift sockets TSSLSocketFactory > > > > "External email. Open with Caution" > > > > Hi Hari, > > I would suggest to check the correct suite name in the Openssl > documentation https://www.openssl.org/docs/man1.0.2/man1/ciphers.html > > > > Then you can test the TLS handshake with your server using the command > openssl s_client -cipher TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 -CAfile > <any-certificate-needed> -connect <ip:port> > > > > BR, Paolo > > > > On Sat, 18 Mar 2023 at 17:46, Hari venkata ramana <hariram...@gmail.com> > > wrote: > > > > > Hi, > > > > > > Yes, the server is implemented in C++. We do have a plan to upgrade to > > > latest revision of thrift, if in case this is something that is fixed > > > in later releases too. > > > > > > However its not clear to us what can make this fail and so are looking > > > for some pointers to find the rootcause. > > > > > > As indicated in the link shared in my post, there was a query on > > > whether thrift supports Diffie Hellman ciphers for which the answers > > > given were not clearly pointing out if this is a drawback though. > > > > > > > > > Thanks > > > > > > Hari > > > > > > -- Thanks Hari
