Hi Patrick, openssl s_client -connect localhost:4433 -cipher ECDHE-ECDSA-AES256-SHA works fine it sends the following cipher suite in the client hello message: Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Just double checked with wireshark and FF also sends Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) as the first of of it's 35 supported cipher suites I started the serve like this openssl s_server -cert /home/alex/keys/ssltest/Certs/secp160r2TestServer.pem -cipher ECDHE-ECDSA-AES256-SHA -www so that it responds to the browser's http request. I tested this by sending a GET from the command line OpenSSL client and it works fine. Any other ideas? Thanks, Kind Regards, Alex On 8 July 2010 15:19, Eisenacher, Patrick <patrick.eisenac...@bdr.de> wrote: > Hi Alex, > > if you configure s_client with the same list of ciphersuites that firefox > sends, then s_server will show the same reaction. That means your ff and > your s_client send different lists of ciphersuites. > > You seem to invoke s_client with the standard list of > ciphersuites...whatever that is. Try invoking s_client with -cipher > ECDHE-ECDSA-AES256-SHA. Is > the handshake still successful? Check the ciphersuite-id that s_client > sends. Obviously it's different from those that ff sends. > > Now lookup the ciphersuite-ids in the specification and you see which > ciphersuites ff and s_client indeed send. > > HTH, > Patrick Eisenacher > > -----Original Message----- > *From:* Alex Birkett > > Hi Patrick, > > Thanks for your response. FF 3.6.2 is > sending TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA in it's client hello message. > The command line OpenSSL client can be made to connect using this cipher > suite. Any ideas? > > Thanks, > > Alex > > > On 8 July 2010 13:41, Eisenacher, Patrick <patrick.eisenac...@bdr.de>wrote: > >> Hi Alex, >> >> just check the list of ciphersuites that FF sends in its client hello >> message and you'll see which ciphersuites FF supports. >> >> HTH, >> Patrick Eisenacher >> >> -----Original Message----- >> *From:* Alex Birkett >> >> Hi, >> >> Firefox 3.6.2 supports the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA cipher >> suite. I've configured Open SSL (version 1.0.0.a) as a test server with >> what I think is a suitable ECC key/certificate (attached) The keys were >> created with the attached script. >> >> The server was started like this: >> openssl s_server -cert >> /home/alex/keys/ssltest/Certs/secp160r2TestServer.pem -cipher >> ECDHE-ECDSA-AES256-SHA >> >> An open ssl client can be successfully connected like this: >> openssl s_client -connect localhost:4433 >> The client says the connection is established with >> the ECDHE-ECDSA-AES256-SHA cipher >> >> When a connection with Firefox is attempted the server give a series of >> errors like this: >> >> 140068746417832:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no >> shared cipher:s3_srvr.c:1216: >> shutting down SSL >> >> Can anybody explain this? Could it be a bug in OpenSSL? >> >> > > > -- > Alex Birkett > > mBricks AS > > Fornebuveien 31, P.O. Box 69 > NO-1324 Lysaker, NORWAY > > www.mbricks.no > > Follow us on Twitter: www.twitter.com/mBricksTeam > > -- Alex Birkett mBricks AS Fornebuveien 31, P.O. Box 69 NO-1324 Lysaker, NORWAY www.mbricks.no Follow us on Twitter: www.twitter.com/mBricksTeam
