Nice catch. Thanks for looking into it. Cheers,
-Tom On Thu, Mar 27, 2014 at 9:22 AM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Thu, Mar 27, 2014, Thomas Montroy wrote: > > > hi Jeff, > > > > Thanks for the response, but I'm still having trouble. > > > > As for TLSv1.2: > > > > With the OS version of openssl, my default connection looks to be TLSv1.1 > > > > However, if I add -tls1_2 to the call, I get this: > > SSL-Session: > > Protocol : TLSv1.2 > > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > > > > Should this be consider accurate (or should I verify with wireshark?)? > > > > I compiled the openssl-1.0.2-beta and it's default connections looks to > be > > TLSv1.2 However, I still fail to connect with any ECDHE-ECDSA. > > > > One interesting point is that mail.google.com has at least two > certificates > > one with ECDHE-RSA and one with ECDHE-ECDSA. When I connect to > > mail.google.com in the browser, I get ECDHE-ECDSA. I can also see both > > certs with gnutls-cli. > > > > I made a test certificate using ECDHE-ECDSA so I'm guessing that means > the > > capability is compiled in. > > > > An interesting little puzzle. I reproduced your results and using Firefox I > can see the ECDSA certificate but OpenSSL chokes if you try to restrict the > handshake to just ECDSA. > > After some head scratching I wondered if servername has anything to do with > it. OpenSSL doesn't send servername by default but some other applications > do. Adding servername like this: > > openssl s_client -connect mail.google.com:443 -servername > mail.google.com > > does the trick and you then get: > > Protocol : TLSv1.2 > Cipher : ECDHE-ECDSA-AES128-GCM-SHA256 > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
