Hello, > > One workaround of this problem is to disable EDH ciphers, for example: > > > > $ openssl s_client -connect bshop.esprit.com:443 -cipher 'ALL:!EDH' > > I tried this, but got exact the same error messages! Then I looked up the > cipher > specs on http://www.openssl.org/docs/apps/ciphers.html and used -cipher > 'ALL:!kEDH' and then I was able to connect. Where is the difference between > 'ALL:!EDH' and 'ALL:!kEDH' (beside that one works and the other not) ? After looking closer this is version dependent name. On FC4 default version is 0.9.7f and in this version EDH and kEDH exists (EDH = kEDH - ADH). But on 0.9.8b there is no EDH ciphersuite name. On 0.9.8b, EDH ciphersute from 0.9.7f you may get with kEDH:!ADH. You may check what ciphers include this names for example with: $ openssl ciphers -v kEDH
And in general EDH means ephemeral DH which means that in ServerKeyExchange packet DH parameters are signed with server private key. ADH means that DH parameters in ServerKeyExchange packet are not signed (susceptible to main-in-the-midle attack). In SSL3/TLS1 there is term "DH" for ciphersuite where DH parameters are carried in server certificate - in this case ServerKeyExchange is empty (but exists). Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
