It's not strange.
You removed the RSA-* from client side, the result is that the server
can't match anything in common between what the client proposed and what
the server accepts. The error you get has been sent by the server.
--
Erwann ABALEA
Le 11/12/2013 22:34, Walter H. a écrit :
Hello,
Thanks for your reply;
Very strange in FF
when I disable the use of the RSA-* Ciphersuites in FF, then I get the
following error
Secure Connection failed
Cannot communicate securely with peer: no common encryption algorithm(s).
(Error code: ssl_error_no_cypher_overlap)
the certificate is mimicked by the origin certificate -
look on the origin certificate of https://www.google.nl
Thanks,
Walter
On 11.12.2013 20:56, Erwann Abalea wrote:
Bonjour,
The certificate specifies "digitalSignature" as its sole key usage.
That means the certified key can only be used to sign data, and not
perform any decrypt operation.
If your server+client are negotiating a (EC)DHE-RSA-* ciphersuite,
that's OK because the server's RSA private key will then be used to
sign the (EC)DHE parameters and ephemeral public key, and the key
exchange mechanism will be based on (EC)DHE.
But if the negotiated ciphersuite is AES-* or DES-* or RC4-* or
anything similar using RSA as the key exchange mechanism, it won't
work because the private key will then be used to decrypt the
premaster secret.
Only NSS checks this, so Firefox under any OS, and Chrome under Linux.
If you want to get rid of this message, choose either one of:
- create a new certificate for your server with
keyUsage=digitalSignature+keyEncipherment
- setup your server to only allow (EC)DHE key exchange mechanisms,
by tweaking its acceptable ciphersuites
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
