Hello, Thanks for your reply;
Very strange in FFwhen I disable the use of the RSA-* Ciphersuites in FF, then I get the following error
Secure Connection failed Cannot communicate securely with peer: no common encryption algorithm(s). (Error code: ssl_error_no_cypher_overlap) the certificate is mimicked by the origin certificate - look on the origin certificate of https://www.google.nl Thanks, Walter On 11.12.2013 20:56, Erwann Abalea wrote:
Bonjour, The certificate specifies "digitalSignature" as its sole key usage.That means the certified key can only be used to sign data, and not perform any decrypt operation.If your server+client are negotiating a (EC)DHE-RSA-* ciphersuite, that's OK because the server's RSA private key will then be used to sign the (EC)DHE parameters and ephemeral public key, and the key exchange mechanism will be based on (EC)DHE.But if the negotiated ciphersuite is AES-* or DES-* or RC4-* or anything similar using RSA as the key exchange mechanism, it won't work because the private key will then be used to decrypt the premaster secret.Only NSS checks this, so Firefox under any OS, and Chrome under Linux. If you want to get rid of this message, choose either one of:- create a new certificate for your server with keyUsage=digitalSignature+keyEncipherment - setup your server to only allow (EC)DHE key exchange mechanisms, by tweaking its acceptable ciphersuites
smime.p7s
Description: S/MIME Cryptographic Signature
