New to the list and one question ;-)
Patrick Regnouf
intera_91 at yahoo.co.uk
Wed Jun 12 09:27:33 UTC 2019
As requested here are two captures attached: one successfully handshakes with the server (chrome) and one fails the handshake (firefox).
I would be very grateful if anyone could shed some light on this.
the openssl version which is linked to my server/relay program is 1.0.2s
Thanks
/Patrick
On Mon, 2019-06-10 at 13:41 -0400, Viktor Dukhovni wrote:On Mon, Jun 10, 2019 at 03:21:16PM +0000, Patrick Regnouf via openssl-users wrote:
>
> > All is well and good when the program works on the linux PC and the
> > handshake is succesful using the 0xc02f cipher. and that is linked to
> > version 3.0.0 of openssl. on the embedded version, (linked with version
> > 1.0.2s) firefox fails the handshake with ssl_no_shared_cipher whereas
> > chrome and safari do successfully handshake chrome client hello contains
> > 12 ciphers and the server hello seems to choose 0xc02f cipher firefox
> > client hello contains only 10 ciphers (including the above mentioned 0xc02f
> > cipher) and fails. any suggestion as to what could causes that failure
> > would be appreciated.
>
> In addition to the cipher algorithm, the two parties must also agree
> on the signature algorithms, supported EC groups, ...
>
> You've not provided much detail about the configuration of the
> embedded (1.0.2s) server. The cipher that works with the other
> browsers is:
>
> 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
>
> this requires a shared ECDHE curve, are you using "auto", or an
> explicit curve? What are the signature algorithms on your certificate
> chain?
>
> It would also be useful to post PCAP files of a working handshake
> with Chrome, and a failing handshake with Firefox.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190612/be09c994/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: chrome_success.pcap
Type: application/vnd.tcpdump.pcap
Size: 4328 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190612/be09c994/attachment-0002.pcap>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: firefox_fail.pcap
Type: application/vnd.tcpdump.pcap
Size: 808 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190612/be09c994/attachment-0003.pcap>
More information about the openssl-users
mailing list