New to the list and one question ;-)

Patrick Regnouf intera_91 at yahoo.co.uk
Thu Jun 13 17:06:36 UTC 2019


Thanks Matt, adding a call to SSL_CTX_set_ecdh_auto()  on the server side actually did the trick. Problem solved!!!
/Patrick 



Contrary to what you said in your original post the chrome session is NOT
selecting 0xc02f. Instead it is selecting 0x002f which is
TLS_RSA_WITH_AES_128_CBC_SHA (aka AES128-SHA in the OpenSSL naming scheme).

This cipher is not being offered by firefox but is by chrome. It is striking to
note that although chrome is offering a whole list of ciphersuites offering
forward secrecy (i.e. all those including ECDHE/DHE), the server is instead
selecting a very old ciphersuite that does not support forward secrecy.

In comparison firefox does not offer any ciphersuites that do not support
forward secrecy and the connection fails.

Have you called SSL_CTX_set_tmp_dh() or SSL_CTX_set_ecdh_auto() on the server?
I'd suggest trying those and see if it helps.

Matt


Sent from Yahoo Mail for iPhone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190613/80e49b8c/attachment.html>


More information about the openssl-users mailing list