On Thu, Jun 26, 2014 at 8:51 AM, mclellan, dave <[email protected]> wrote: > I’m doing some experimentation with cipher lists using OpenSSL 1.0.1h. I > have two peers using the same libraries, and both enabled with these suites > in the call to SSL_set_cipher_list(): > > > 1. ECDHE-ECDSA-AES128-GCM-SHA256 > > 2. ECDHE-RSA-AES128-GCM-SHA256 > > 3. DHE-RSA-AES128-GCM-SHA256 > > > These are shown by the ‘openssl ciphers’ command using the same libraries. > I have specified each of these individually to try out each one > independently of the others. > > > Neither of the ECDHE ciphers (1 and 2 above) are chosen by my two peers, and > the result is ‘no shared cipher’ when either of these is specified. > > > Cipher 3 is chosen successfully, so it seems that the failing component is > the elliptic curve modifier of DHE. > The server needs an ECDSA key and certifcate to provide ECDSA. Its not clear if you have it.
I'm not sure why ECDHE-RSA-AES128-GCM-SHA256 is not selected. Perhaps TLS1.2 is not available? Lack of TLS 1.2 would explain both ECDHE-ECDSA-AES128-GCM-SHA256 and ECDHE-RSA-AES128-GCM-SHA256. I know Ubuntu *prior* to 14 disabled it out of the box (via OPENSSL_NO_TLS1_2_CLIENT). And it was disabled by default in Java 7 and earlier. Where did you get your copy of 1.0.1h? Is it distro provided? Are you accidentally linking against a distro provided OpenSSL? Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
