I've tried with 0.9.9[dev] instead. i can browse successfully without needing to specify ECCdraft or -no_ecdhe when using s_server. However when I tried browsing independently (ie using Firefox only), I'm again receiving the error . What could be wrong then?
Anyone can enlighten me? ----- Original Message ---- From: IT Professional <[EMAIL PROTECTED]> To: openssl-users@openssl.org Sent: Wednesday, 25 October 2006 4:21:53 PM Subject: Re: sslv3 alert handshake failure Am I wrong? When I read the docs for the snapshot for 0.9.8b, it is stated that ECC cipher suites are included as part of 'ALL'. So why do I still need to define ECCdraft when using openssl s_server? I've tried defining +ECCdraft in the SSL Cipher Suite but it's without success. Anyone got better luck? Thanks! ----- Original Message ---- From: IT Professional <[EMAIL PROTECTED]> To: openssl-users@openssl.org Sent: Friday, 20 October 2006 12:29:02 AM Subject: Re: sslv3 alert handshake failure Great, I finally don't see the error. Is there any other way to disable ECDHE other than from command line? I couldn't find any command to disable ECDHE in the generation of the ECC cert. I also tried editing SSLCipherSuite to ALL:!ADH:!EXPORT56:RC4+RSA:-kEECDH:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL or ALL:!ADH:!EXPORT56:RC4+RSA:-kECDHe:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL where I expected -kEECDH or -kECDHE or to disable ECDHE. Unfortunately, it didn't worked out. Many thanks! ----- Original Message ---- From: Marek Marcola <[EMAIL PROTECTED]> To: openssl-users@openssl.org Sent: Thursday, 19 October 2006 7:06:48 PM Subject: Re: sslv3 alert handshake failure Hello, > Like to clarify one point, am I right to say the peer (client) we are > referring to here is the browser? Browser or any other SSL client. > I'm using Firefox 2 Beta 1 which I know has ECC support. I had > performed a test at tls.secg.org to verify this. According to Firefox documetation ECC support is presently limited to curves of 256, 384, and 521 bits. But after creating ECC secp521r1 I was unable to connect with Firefox too, but now I had error -8092 which means SEC_ERROR_KEYGEN_FAIL. After looking at source code of Firefox there was place in mozilla/security/nss/lib/ssl/ssl3ecc.c where ephemeral keys are generated from ECC and probably this cause error. After running "openssl s_server ..." with "-no_ecdhe" I was able to establish connection with ECC ciphers. >Another point I'm puzzled is that the openssl ciphersuites shown only >ciphers with SSLv3 protocol when I execute openssl cipher -v ECCdraft. >But I thought openssl 0.9.8b already provide support for TLSv1 too, so >why don't I see any ciphers with TLSv1 protocol? Or have I >misunderstood the readme file in 0.9.8b? This is only name problem, SSL3 and TLS1 are very close so sometimes some names/variables are used interchangeably. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __________________________________ What is the internet to you? Contribute to the Yahoo! Time Capsule and be a part of internet history. http://timecapsule.yahoo.com/capsule.php?intl=sg ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __________________________________ What will the world find in 2020? Leave a part of your 2006 in the Yahoo! Time Capsule. Contribute now! http://timecapsule.yahoo.com/capsule.php?intl=sg ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] __________________________________ What is the internet to you? Contribute to the Yahoo! Time Capsule and be a part of internet history. http://timecapsule.yahoo.com/capsule.php?intl=sg ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
