cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH v2] TLS False Start support for NSS

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Mon, 09 Mar 2015 14:00:23 +0100

On Monday 09 March 2015 13:37:20 Alessandro Ghedini wrote:
> Looks like you are right. I think I looked into an older firefox release and
> missed a whole bunch of other checks (like the fact that firefox now only
> allows ECDHE and AES GCM).
>
> I'll update the patch shortly and also add comments.

That would be cool. Thanks!

> It seems I'm having
> some problem withe nss and ECDHE though: I updated my server's
> configuration to only
> allow ECDHE but when I use curl built with nss I get:
> > % src/curl https://ghedini.me -v
> > * STATE: INIT => CONNECT handle 0xe2f658; line 1046 (connection #-5000)
> > * Rebuilt URL to: https://ghedini.me/
> > * Added connection 0. The cache now contains 1 members
> > * STATE: CONNECT => WAITRESOLVE handle 0xe2f658; line 1083 (connection #0)
> > * Trying 149.154.152.214...
> > * STATE: WAITRESOLVE => WAITCONNECT handle 0xe2f658; line 1163 (connection
> > #0) * Connected to ghedini.me (149.154.152.214) port 443 (#0)
> > * STATE: WAITCONNECT => SENDPROTOCONNECT handle 0xe2f658; line 1202
> > (connection #0) * Marked for [keep alive]: HTTP default
> > * Initializing NSS with certpath: none
> > * CAfile: /etc/ssl/certs/ca-certificates.crt
> >
> > CApath: none
> >
> > * STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0xe2f658; line 1216
> > (connection #0) * NSS error -12286 (SSL_ERROR_NO_CYPHER_OVERLAP)
> > * Cannot communicate securely with peer: no common encryption
> > algorithm(s).
> > * Marked for [closure]: Failed HTTPS connection
> > * Closing connection 0
> > * The cache now contains 0 members
> > * Expire cleared
> > curl: (35) Cannot communicate securely with peer: no common encryption
> > algorithm(s).
> Any idea on what may be causing this? Using chromium built against the same
> libnss works fine, so maybe it's a curl problem? The nss version is 3.17.2.

I guess you need to enable the cipher-suites on client's side because NSS does
not enable all of them by default:

https://bugzilla.redhat.com/1185708

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2015-03-09

This message: [ Message body ]
Next message: Alessandro Ghedini: "[PATCH v3] TLS False Start support for NSS"
Previous message: Alessandro Ghedini: "Re: [PATCH v2] TLS False Start support for NSS"
In reply to: Alessandro Ghedini: "Re: [PATCH v2] TLS False Start support for NSS"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]