On Thu, Mar 27, 2014, Dr. Stephen Henson wrote: > On Thu, Mar 27, 2014, Thomas Montroy wrote: > > > hi Jeff, > > > > Thanks for the response, but I'm still having trouble. > > > > As for TLSv1.2: > > > > With the OS version of openssl, my default connection looks to be TLSv1.1 > > > > However, if I add -tls1_2 to the call, I get this: > > SSL-Session: > > Protocol : TLSv1.2 > > Cipher : ECDHE-RSA-AES256-GCM-SHA384 > > > > Should this be consider accurate (or should I verify with wireshark?)? > > > > I compiled the openssl-1.0.2-beta and it's default connections looks to be > > TLSv1.2 However, I still fail to connect with any ECDHE-ECDSA. > > > > One interesting point is that mail.google.com has at least two certificates > > one with ECDHE-RSA and one with ECDHE-ECDSA. When I connect to > > mail.google.com in the browser, I get ECDHE-ECDSA. I can also see both > > certs with gnutls-cli. > > > > I made a test certificate using ECDHE-ECDSA so I'm guessing that means the > > capability is compiled in. > > > > An interesting little puzzle. I reproduced your results and using Firefox I > can see the ECDSA certificate but OpenSSL chokes if you try to restrict the > handshake to just ECDSA. > > After some head scratching I wondered if servername has anything to do with > it. OpenSSL doesn't send servername by default but some other applications > do. Adding servername like this: > > openssl s_client -connect mail.google.com:443 -servername > mail.google.com > > does the trick and you then get: > > Protocol : TLSv1.2 > Cipher : ECDHE-ECDSA-AES128-GCM-SHA256 >
Just had an update from Rob Stradling whose message hasn't made it to the list yet. If OpenSSL is compiled with zlib support you also have to disable compression using -no_comp. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
