Re: ECDHE-ECDSA Support

Wed, 26 Mar 2014 15:46:53 -0700 

> I'm running ubuntu (12.04, I think) on a VM on a Macbook Air using VMware. I
> tried the default ubuntu SSL, 1.0.1f, 1.0.1c and 1.0.2beta1, no luck in any
> case.
> ...
> Any ideas why I can't do that with openssl?

Ubuntu disables TLS 1.1 and 1.2 in their version of OpenSSL. See, for
example, OpenSSL downlevel version is 1.0.0, and does not support TLS
1.2, https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1256576.

You should be able to connect with -tls1; or build/install OpenSSL
yourself and use the one installed at /usr/local/ssl/bin/openssl.

> openssl s_client -connect mail.google.com:443 -tls1_2 -cipher

You can also use -CAfile option for s_client to avoid the verify
error. Use Google's Google Internet Authority G2 at
http://pki.google.com/.

Jeff

On Wed, Mar 26, 2014 at 4:14 PM, Thomas Montroy <tom.mont...@gmail.com> wrote:
> hi All,
>
> I've been trying to make ECDHE-ECDSA connections with openssl and have been
> having trouble.
>
>
> openssl s_client -connect mail.google.com:443 -tls1_2
> This connects with cipher = ECDHE-RSA-AES128-GCM-SHA256
>
> According to Google-Chrome, the cipher for my web-based gmail connection
> should be:
> ECDHE-ECDSA-AES128-GCM-SHA256
>
> If I try to make that connection
>
> openssl s_client -connect mail.google.com:443 -tls1_2 -cipher
> ECDHE-ECDSA-AES128-GCM-SHA256
>
> I get:
>
> CONNECTED(00000003)
> 139818747868832:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert
> handshake failure:s3_pkt.c:1440:SSL alert number 40
> 139818747868832:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake
> failure:s3_pkt.c:617:
>
> which looks like no connection.
>
> I'm running ubuntu (12.04, I think) on a VM on a Macbook Air using VMware. I
> tried the default ubuntu SSL, 1.0.1f, 1.0.1c and 1.0.2beta1, no luck in any
> case.
>
> I downloaded and compiled the latest version of gnutls:
>
> This gives an ECDHE-ECDSA connection
> gnutls-cli --priority=NORMAL:-KX-ALL:+ECDHE-ECDSA mail.google.com
>
> This gives an ECDHE-RSA
> gnutls-cli --priority=NORMAL:-KX-ALL:+ECDHE-RSA mail.google.com
>
> So I'm able to see both types of certificates for mail.google.com with
> gnutls.
>
> Any ideas why I can't do that with openssl?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to