On Mon, May 16, 2011 at 11:56:41AM +0100, Mike Bell wrote:
> Thanks Viktor,
>
> I hadn't properly understood the relationship between the certificate
> and the cipher, so I'll look at that now. I think I'm also confusing
> the OpenVPN?& OpenSSL relationship.
>
> OpenVPN does appear to be using TL
m e.g. (AES-128-CBC) with a cipher-suite,
which specifies also the authentication and message digest algorithms.
Generally, OpenSSL ciphersuites are defined for TLS. It is not clear
how these translate to your VPN device.
--
Viktor.
From: Victor Duchovni
To: "openssl-users@openssl.org&qu
On Fri, May 13, 2011 at 06:36:34PM +0100, Mike Bell wrote:
> I had originally put
> cipher AES-128-CBC
> in SERVER.OVPN & CLIENT.OVPN, not OPENSSL.CNF files (it's been a long week!)
I am not familiar with your VPN product, so you'll have to figure out
what configuration options are applicable. I
urity people are insisting on AES and either EC
DSA, DSA or RSA as the signature algorithm, but with a preference for ECDSA.
Thanks
From: Victor Duchovni
To: "openssl-users@openssl.org"
Sent: Friday, 13 May 2011, 17:56
Subject: Re: No shared cipher error using ECDSA
On Fri, May
On Fri, May 13, 2011 at 05:41:52PM +0100, Mike Bell wrote:
> However I keep getting a "no shared cipher" error.
>
> In my client & server openssl.cnf files I've specified
> cipher AES-128-CBC
This is not an EC cipher, and if you configure an EC cert, but specify
a cipher that is one of the ones
Hi,
I've generated certificates based on the secp256r1 curve and a connection to
the server can be established not only with FireFox, but also Internet
Explorer and Chrome. It must be that secp160r2 is not supported by the
browsers. Do you think it would be possible to add a more descriptive error
On Thu July 8 2010, Dirk Menstermann wrote:
> Hi,
>
> on https://developer.mozilla.org/en/Security_in_Firefox_2 I found that FF 2
> does
> support only curves with 256, 384, and 521. Maybe this is the same for FF 3
> and
> your 160 bit curve is not supported.
>
Try: about:config in your browse
Hi,
on https://developer.mozilla.org/en/Security_in_Firefox_2 I found that FF 2 does
support only curves with 256, 384, and 521. Maybe this is the same for FF 3 and
your 160 bit curve is not supported.
Bye
Dirk
Alex Birkett wrote:
> Hi,
>
> Firefox 3.6.2 supports the TLS_ECDHE_ECDSA_WITH_AES_2
Hi Alex,
are you sure, ff ist talking to the same server on port 4433?
Do you get a successful handshake when using a different ciphersuite on the
server?
Patrick Eisenacher
-Original Message-
From: Alex Birkett
Hi Patrick,
openssl s_client -connect localhost:4433 -cipher ECDHE-ECDSA
Hi Patrick,
openssl s_client -connect localhost:4433 -cipher ECDHE-ECDSA-AES256-SHA
works fine it sends the following cipher suite in the client hello message:
Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)
Just double checked with wireshark and FF also sends
Cipher Suite: TLS_ECDHE_
Hi Alex,
if you configure s_client with the same list of ciphersuites that firefox
sends, then s_server will show the same reaction. That means your ff and your
s_client send different lists of ciphersuites.
You seem to invoke s_client with the standard list of ciphersuites...whatever
that is.
Hi Patrick,
Thanks for your response. FF 3.6.2 is
sending TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA in it's client hello message.
The command line OpenSSL client can be made to connect using this cipher
suite. Any ideas?
Thanks,
Alex
On 8 July 2010 13:41, Eisenacher, Patrick wrote:
> Hi Alex,
>
Hi Alex,
just check the list of ciphersuites that FF sends in its client hello message
and you'll see which ciphersuites FF supports.
HTH,
Patrick Eisenacher
-Original Message-
From: Alex Birkett
Hi,
Firefox 3.6.2 supports the TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA cipher suite.
I've co
Thanks everyone for the help, I think I am getting closer. All of the SSL
has been removed from the listener (makes much more sense to me now), and
the Init routine has had CRYPTO_malloc_init() and
ENGINE_load_builtin_engines() added (it already had the other "basic"
routines).
When I use my clien
Aw, shoot. I see this is a re-issue of your question and others have
provided better answers already a few hours ago.
Keeping your browser open all night doesn't make gmail show a fresh
bunch when you wake up. Time for first coffee, pronto...
Anyway, check that add_all_algo thing anyway. Given you
Nothing glaring, except of course that this error is [almost] always
caused by the absence of a call to
OpenSSL_add_all_algorithms();
which is used to set up SSL with all the available ciphers, hashes, etc.
(And given your init code, I don't see
SSL_load_error_strings()
around either, which he
On Thu, Jan 22, 2009 at 08:51:20PM -0500, Dave Thompson wrote:
> Except as noted above, this sounds reasonable. I assume you realize
> that ALL includes, and could possibly negotiate, some weak ciphers;
> but since you're explicitly adding eNULL you apparently don't care.
> It certainly should be
> From: owner-openssl-us...@openssl.org On Behalf Of Dan Arcari
> Sent: Wednesday, 21 January, 2009 16:18
> I'm wondering if someone can help me with a "no shared cipher" error
occurring when I attempt
> SSL_accept? I'll try to explain what's being done as succinctly as
possible:
> 1. There are t
Straight from the OpenSSL FAQs...
* Why can't I make an SSL connection to a server using a DSA certificate?
Typically you'll see a message saying there are no shared ciphers when
the same setup works fine with an RSA certificate. There are two possible
causes. The client may not support connections
19 matches
Mail list logo
