On 14/05/2014 10:23, Dirk-Willem van Gulik wrote: > Now I must be getting rusty - we have in the config file > > SSLCipherSuite -ALL:ECDHE-RSA-AES256-SHA > SSLProtocol -ALL +TLSv1.1 +TLSv1.2 +SSLv3 > > with the first resolving nicely with > > openssl ciphers -ALL:ECDHE-RSA-AES256-SHA > > to just > > ECDHE-RSA-AES256-SHA >
Unusual syntax though that should work. I'd normally just use the single ciphersuite name in the string: ECDHE-RSA-AES256-SHA > So my assumption is that this server will insist on talking above - and = > nothing else. > > And on the wire - if I observer the Server Hello I see: > > Secure Sockets Layer > TLSv1.2 Record Layer: Handshake Protocol: Server Hello > ... > Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 = > (0xc030) > > which is sort of what i expect. > I wouldn't expect that as that isn't the single ciphersuite you've specified. > However when I throw > > https://www.ssllabs.com/ssltest/analyze.html > > their analyzer at it - it seems to be quite able to convince the server = > to say hello=92s with > > SSLv3 Record Layer: Handshake Protocol: Server Hello > Content Type: Handshake (22) > Version: SSL 3.0 (0x0300) > ... > Cipher Suite: TLS_RSA_WITH_RC4_128_MD5 (0x0004) > > or > > TLSv1.2 Record Layer: Handshake Protocol: Server Hello > ... > Cipher Suite: TLS_DHE_RSA_WITH_DES_CBC_SHA (0x0015) > > And so on*. I must be missing something very obvious here! Am I > misunderstanding SSLCipherSuite or is there something specific about 1.2 > which > makes certain things mandatory and not under control of SSLCipherSuite? > It looks like OpenSSL isn't receiving that cipher string properly or if it is being overridden by something else possible elsewhere in the config file. You can probe individual ciphersuites using s_client like this: openssl s_client -connect www.hostname.com:443 \ -cipher ECDHE-RSA-AES256-GCM-SHA384 If it isn't supported the connection shouldn't complete. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 [email protected]
