On Thu, Mar 27, 2014, Thomas Montroy wrote:
> hi Jeff,
>
> Thanks for the response, but I'm still having trouble.
>
> As for TLSv1.2:
>
> With the OS version of openssl, my default connection looks to be TLSv1.1
>
> However, if I add -tls1_2 to the call, I get this:
> SSL-Session:
> Protocol : TLSv1.2
> Cipher : ECDHE-RSA-AES256-GCM-SHA384
>
> Should this be consider accurate (or should I verify with wireshark?)?
>
> I compiled the openssl-1.0.2-beta and it's default connections looks to be
> TLSv1.2 However, I still fail to connect with any ECDHE-ECDSA.
>
> One interesting point is that mail.google.com has at least two certificates
> one with ECDHE-RSA and one with ECDHE-ECDSA. When I connect to
> mail.google.com in the browser, I get ECDHE-ECDSA. I can also see both
> certs with gnutls-cli.
>
> I made a test certificate using ECDHE-ECDSA so I'm guessing that means the
> capability is compiled in.
>
An interesting little puzzle. I reproduced your results and using Firefox I
can see the ECDSA certificate but OpenSSL chokes if you try to restrict the
handshake to just ECDSA.
After some head scratching I wondered if servername has anything to do with
it. OpenSSL doesn't send servername by default but some other applications
do. Adding servername like this:
openssl s_client -connect mail.google.com:443 -servername
mail.google.com
does the trick and you then get:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
