New to the list and one question ;-)

Viktor Dukhovni openssl-users at dukhovni.org
Mon Jun 10 17:41:10 UTC 2019


On Mon, Jun 10, 2019 at 03:21:16PM +0000, Patrick Regnouf via openssl-users wrote:

> All is well and good when the program works on the linux PC and the
> handshake is succesful using the 0xc02f cipher. and that is linked to
> version 3.0.0 of openssl.  on the embedded version, (linked with version
> 1.0.2s) firefox fails the handshake with ssl_no_shared_cipher whereas
> chrome and safari do successfully handshake chrome client hello contains
> 12 ciphers and the server hello seems to choose 0xc02f cipher firefox
> client hello contains only 10 ciphers (including the above mentioned 0xc02f
> cipher) and fails.  any suggestion as to what could causes that failure
> would be appreciated.

In addition to the cipher algorithm, the two parties must also agree
on the signature algorithms, supported EC groups, ...

You've not provided much detail about the configuration of the
embedded (1.0.2s) server.  The cipher that works with the other
browsers is:

    0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD

this requires a shared ECDHE curve, are you using "auto", or an
explicit curve?  What are the signature algorithms on your certificate
chain?

It would also be useful to post PCAP files of a working handshake
with Chrome, and a failing handshake with Firefox.

-- 
	Viktor.


More information about the openssl-users mailing list