Re: [PATCH v2] TLS False Start support for NSS
Date: Mon, 09 Mar 2015 14:00:23 +0100
On Monday 09 March 2015 13:37:20 Alessandro Ghedini wrote:
> Looks like you are right. I think I looked into an older firefox release and
> missed a whole bunch of other checks (like the fact that firefox now only
> allows ECDHE and AES GCM).
> I'll update the patch shortly and also add comments.
That would be cool. Thanks!
> It seems I'm having
> some problem withe nss and ECDHE though: I updated my server's
> configuration to only
> allow ECDHE but when I use curl built with nss I get:
> > % src/curl https://ghedini.me -v
> > * STATE: INIT => CONNECT handle 0xe2f658; line 1046 (connection #-5000)
> > * Rebuilt URL to: https://ghedini.me/
> > * Added connection 0. The cache now contains 1 members
> > * STATE: CONNECT => WAITRESOLVE handle 0xe2f658; line 1083 (connection #0)
> > * Trying 184.108.40.206...
> > * STATE: WAITRESOLVE => WAITCONNECT handle 0xe2f658; line 1163 (connection
> > #0) * Connected to ghedini.me (220.127.116.11) port 443 (#0)
> > * STATE: WAITCONNECT => SENDPROTOCONNECT handle 0xe2f658; line 1202
> > (connection #0) * Marked for [keep alive]: HTTP default
> > * Initializing NSS with certpath: none
> > * CAfile: /etc/ssl/certs/ca-certificates.crt
> > CApath: none
> > * STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0xe2f658; line 1216
> > (connection #0) * NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
> > * Cannot communicate securely with peer: no common encryption
> > algorithm(s).
> > * Marked for [closure]: Failed HTTPS connection
> > * Closing connection 0
> > * The cache now contains 0 members
> > * Expire cleared
> > curl: (35) Cannot communicate securely with peer: no common encryption
> > algorithm(s).
> Any idea on what may be causing this? Using chromium built against the same
> libnss works fine, so maybe it's a curl problem? The nss version is 3.17.2.
I guess you need to enable the cipher-suites on client's side because NSS does
not enable all of them by default:
List admin: http://cool.haxx.se/list/listinfo/curl-library
Received on 2015-03-09