As requested here are two captures attached: one successfully handshakes with the server (chrome) and one fails the handshake (firefox). I would be very grateful if anyone could shed some light on this.
the openssl version which is linked to my server/relay program is 1.0.2s Thanks /Patrick On Mon, 2019-06-10 at 13:41 -0400, Viktor Dukhovni wrote:On Mon, Jun 10, 2019 at 03:21:16PM +0000, Patrick Regnouf via openssl-users wrote: > > > All is well and good when the program works on the linux PC and the > > handshake is succesful using the 0xc02f cipher. and that is linked to > > version 3.0.0 of openssl. on the embedded version, (linked with version > > 1.0.2s) firefox fails the handshake with ssl_no_shared_cipher whereas > > chrome and safari do successfully handshake chrome client hello contains > > 12 ciphers and the server hello seems to choose 0xc02f cipher firefox > > client hello contains only 10 ciphers (including the above mentioned 0xc02f > > cipher) and fails. any suggestion as to what could causes that failure > > would be appreciated. > > In addition to the cipher algorithm, the two parties must also agree > on the signature algorithms, supported EC groups, ... > > You've not provided much detail about the configuration of the > embedded (1.0.2s) server. The cipher that works with the other > browsers is: > > 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA >Enc=AESGCM(128) Mac=AEAD > > this requires a shared ECDHE curve, are you using "auto", or an > explicit curve? What are the signature algorithms on your certificate > chain? > > It would also be useful to post PCAP files of a working handshake > with Chrome, and a failing handshake with Firefox.
chrome_success.pcap
Description: application/vnd.tcpdump.pcap
firefox_fail.pcap
Description: application/vnd.tcpdump.pcap
