RE: 'No shared cipher error' connecting to OpenSSL server with Firefox using TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) cipher suite

Thu, 08 Jul 2010 06:26:50 -0700 

Hi Alex,

if you configure s_client with the same list of ciphersuites that firefox 
sends, then s_server will show the same reaction. That means your ff and your 
s_client send different lists of ciphersuites.

You seem to invoke s_client with the standard list of ciphersuites...whatever 
that is. Try invoking s_client with -cipher ECDHE-ECDSA-AES256-SHA. Is the 
handshake still successful? Check the ciphersuite-id that s_client sends. 
Obviously it's different from those that ff sends.

Now lookup the ciphersuite-ids in the specification and you see which 
ciphersuites ff and s_client indeed send.

HTH,
Patrick Eisenacher
-----Original Message-----
From: Alex Birkett

Hi Patrick,

Thanks for your response. FF 3.6.2  is sending 
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA in it's client hello message. The command 
line OpenSSL client can be made to connect using this cipher suite. Any ideas?

Thanks,

Alex


On 8 July 2010 13:41, Eisenacher, Patrick 
<patrick.eisenac...@bdr.de<mailto:patrick.eisenac...@bdr.de>> wrote:
Hi Alex,

just check the list of ciphersuites that FF sends in its client hello message 
and you'll see which ciphersuites FF supports.

HTH,
Patrick Eisenacher
-----Original Message-----
From: Alex Birkett

Hi,

Firefox 3.6.2 supports the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA cipher suite. 
I've configured  Open SSL (version 1.0.0.a) as a test server with what I think 
is a suitable ECC key/certificate (attached) The keys were created with the 
attached script.

The server was started like this:
openssl s_server -cert /home/alex/keys/ssltest/Certs/secp160r2TestServer.pem 
-cipher ECDHE-ECDSA-AES256-SHA

An open ssl client can be successfully connected like this:
openssl s_client -connect localhost:4433
The client says the connection is established with the ECDHE-ECDSA-AES256-SHA 
cipher

When a connection with Firefox is attempted the server give a series of errors 
like this:

140068746417832:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared 
cipher:s3_srvr.c:1216:
shutting down SSL

Can anybody explain this? Could it be a bug in OpenSSL?



--
Alex Birkett

mBricks AS

Fornebuveien 31, P.O. Box 69
NO-1324 Lysaker, NORWAY

www.mbricks.no<http://www.mbricks.no>

Follow us on Twitter: 
www.twitter.com/mBricksTeam<http://www.twitter.com/mBricksTeam>

Reply via email to