On Fri, Dec 13, 2013, Walter H. wrote: > On 13.12.2013 21:16, andrew cooke wrote: > >well, i realised i couldn't answer the question seriously... what is > >ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to > >google chrome and firefox accepting it (a grep of openssl 1.0.1e fails to > >find > >it). does any server actually provide it? if so, what mode does it use (EDE > >is saying something about DES - how to build 3DES from DES - rather than > >giving a mode, isn't it?)? > > > >andrew > > > exact this is my problem - I need a ciphersuite from the OpenSSL > list, that matches one of the FF list and doesn't make use of RSA > for key exchange ... >
How are you disabling RSA key exchange? If you disable RSA for authentication too you'll hit problems if you don't have a non-RSA certificate. So for example: ECDHE-ECDSA-3DES-EDE-SHA needs an ECDSA certificate (that's the same as ECDHE-ECDSA-DES-CBC3-SHA). You can disable RSA key exchange by appending the string !kRSA to the cipher string, for example: "DEFAULT:!kRSA". Also if you want to support EDH ciphersuites you need to set some DH parameters and for ECDH a suitable curve. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org