Chris, > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Mark, > > On 8/31/16 7:21 AM, Mark Thomas wrote: > > On 31/08/2016 12:18, Kreuser, Peter wrote: > >> > >> Christopher, > >> > >>> On 8/30/16 10:18 AM, Kreuser, Peter wrote: > >>> > >>> On 30/08/2016 10:23, Kreuser, Peter wrote: > >>> > >>> Hi all, > >>> > >>> I have compiled tcnative 1.2.8 with the new openssl 1.1.0 (ldd > >>> proves that it is linked). I have set the cipher string to the > >>> newly supported ciphers: > >>> > >>> ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:E > C > >>> > >>> <snip> > >> > >> testssl.sh is running with an openssl 1.0.2 compiled with > >> CHACHA20-support. > >> > >> I tried to manually access the website with this version and > >> ECDHE-ECDSA-CHACHA20-POLY1305 without success. > > > > Don't you need a DSA cert to use that cipher? > > Yep. It's used for authentication only -- EDCHE is of course being > used for key exchange. > > Nice catch. Peter, this isn't working because this cipher suite can't > be used with your RSA certificate: you'll need a DSA cert. >
as send to Mark before, ECDHE-RSA-CHACHA20-POLY1305 isn't working either. Plus testssl.sh is trying all ciphers no matter if key exchange is DSA or RSA. See: Testing all 181 locally available ciphers against the server, ordered by encryption strength Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC) --------------------------------------------------------------------------------------------------------------------------- xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 x6b DHE-RSA-AES256-SHA256 DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 x39 DHE-RSA-AES256-SHA DH 2048 AES 256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA x9d AES256-GCM-SHA384 RSA AESGCM 256 TLS_RSA_WITH_AES_256_GCM_SHA384 x3d AES256-SHA256 RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA256 x35 AES256-SHA RSA AES 256 TLS_RSA_WITH_AES_256_CBC_SHA xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 x67 DHE-RSA-AES128-SHA256 DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 x33 DHE-RSA-AES128-SHA DH 2048 AES 128 TLS_DHE_RSA_WITH_AES_128_CBC_SHA x9c AES128-GCM-SHA256 RSA AESGCM 128 TLS_RSA_WITH_AES_128_GCM_SHA256 x3c AES128-SHA256 RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA256 x2f AES128-SHA RSA AES 128 TLS_RSA_WITH_AES_128_CBC_SHA Peter --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org