Re: [openssl-users] Working with s_time and nginx
On 31/08/16 17:42, Kjetil Birkeland Moe wrote: > Dear all, > I have turned to /s_time/ to evaluate the performance of a local Nginx > server setup, but seems to immediately run into problems that do not > appear when using /s_client/. > > Server setup is largely based on recommendations from bettercrypto.org, > which also demonstrate the same problems with their setup as I currently > do: "openssl s_time -connect bettercrypto.org:443 -cipher > AES128-GCM-SHA256 -time 2" returns > > * "140373676381952:error:14094410:SSL routines:ssl3_read_bytes:sslv3 > alert handshake failure:ssl/record/rec_layer_s3.c:1362:SSL alert > number 40" in OpenSSL 1.1.0 > * "140416684930936:error:14077410:SSL > routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake > failure:s23_clnt.c:769:" in version 1.0.2h. You say you don't get this problem with s_client. I just tried: openssl s_client -connect bettercrypto.org:443 -cipher AES128-GCM-SHA256 And got exactly the same error message as above. I also tried all the ciphersuites below that you list as problematic, and got the same error with s_client. So, what exactly is your command line that works with s_client? Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Working with s_time and nginx
Dear all, I have turned to /s_time/ to evaluate the performance of a local Nginx server setup, but seems to immediately run into problems that do not appear when using /s_client/. Server setup is largely based on recommendations from bettercrypto.org, which also demonstrate the same problems with their setup as I currently do: "openssl s_time -connect bettercrypto.org:443 -cipher AES128-GCM-SHA256 -time 2" returns * "140373676381952:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1362:SSL alert number 40" in OpenSSL 1.1.0 * "140416684930936:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:" in version 1.0.2h. This problem has been found when running from Fedora 24, and also with other ciphers than just the one mentioned above, as ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-SHA, AES256-SHA, but not with AES128-SHA. (Looking at the error message, there seems to be ssl3 involved. Though I believe that only TLS connections are allowed on the servers mentioned.) I am greatful for insight that would make it possible to use /s_time/ properly. best regards, Kjetil Birkeland Moe -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users