On 14.12.2013 00:00, Dr. Stephen Henson wrote:
How are you disabling RSA key exchange?
by setting all ciphers beginning with RSA to no in FF
If you disable RSA for authentication
too you'll hit problems if you don't have a non-RSA certificate. So for
example: ECDHE-ECDSA-3DES-EDE-SHA needs
On 12.12.2013 14:16, Erwann Abalea wrote:
It's not strange.
You removed the RSA-* from client side, the result is that the server
can't match anything in common between what the client proposed and
what the server accepts. The error you get has been sent by the server.
The server is capable
Le 13/12/2013 19:30, Walter H. a écrit :
On 12.12.2013 14:16, Erwann Abalea wrote:
It's not strange.
You removed the RSA-* from client side, the result is that the server
can't match anything in common between what the client proposed and
what the server accepts. The error you get has been
it dpends how many characters differ when sorted.
in this case:
ECDHE-ECDSA-DES-CBC3-SHA - 3AABDDDHHSSS
* *** **
ECDHE-ECDSA-3DES-EDE-SHA - 3AACCEEHHSSS
you can see (marked by *) that 6 characters don't match.
now 6 is a triangular
sorry, that was a bad joke i now regret sending. andrew
On Fri, Dec 13, 2013 at 04:01:23PM -0300, Andrew Cooke wrote:
it dpends how many characters differ when sorted.
in this case:
ECDHE-ECDSA-DES-CBC3-SHA - 3AABDDDHHSSS
* *** **
Don't regret it, it wasn't that bad ;)
--
Erwann ABALEA
Le 13/12/2013 20:39, andrew cooke a écrit :
sorry, that was a bad joke i now regret sending. andrew
On Fri, Dec 13, 2013 at 04:01:23PM -0300, Andrew Cooke wrote:
it dpends how many characters differ when sorted.
in this case:
well, i realised i couldn't answer the question seriously... what is
ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to
google chrome and firefox accepting it (a grep of openssl 1.0.1e fails to find
it). does any server actually provide it? if so, what mode does it use
On 13.12.2013 21:16, andrew cooke wrote:
well, i realised i couldn't answer the question seriously... what is
ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to
google chrome and firefox accepting it (a grep of openssl 1.0.1e fails to find
it). does any server actually
well, not really, because in practice the name has to match, so you are stuck
(as the earlier answer says).
i guess the answer is somewhere in the nss code...
andrew
On Fri, Dec 13, 2013 at 10:04:52PM +0100, Walter H. wrote:
On 13.12.2013 21:16, andrew cooke wrote:
well, i realised i
On Fri, Dec 13, 2013, Walter H. wrote:
On 13.12.2013 21:16, andrew cooke wrote:
well, i realised i couldn't answer the question seriously... what is
ECDHE-ECDSA-3DES-EDE-SHA ? the only reference i can find on the web is to
google chrome and firefox accepting it (a grep of openssl 1.0.1e
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-
us...@openssl.org] On Behalf Of Walter H.
snip
The server is capable of ciphers DHE-* and others;
the list is quite longer than the avaiable ciphers of the client ...,
so I think this is quite strange ...
openssl ciphers -V
It's not strange.
You removed the RSA-* from client side, the result is that the server
can't match anything in common between what the client proposed and what
the server accepts. The error you get has been sent by the server.
--
Erwann ABALEA
Le 11/12/2013 22:34, Walter H. a écrit :
Bonjour,
The certificate specifies digitalSignature as its sole key usage.
That means the certified key can only be used to sign data, and not
perform any decrypt operation.
If your server+client are negotiating a (EC)DHE-RSA-* ciphersuite,
that's OK because the server's RSA private key will
13 matches
Mail list logo
