cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: NSS cipher list in CURLOPT_SSL_CIPHER_LIST

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Tue, 17 May 2016 15:15:52 +0200

On Tuesday, May 17, 2016 14:45:50 Oliver Graute wrote:
> Hello,
>
> I found a miss match in the documentation of ciphers for curl and
> modnss. I'm not sure who is wrong here or if its simple lack in
> documentation of ciphersuites. So I cross post it.
>
> I followed the curl doc "CURLOPT_SSL_CIPHER_LIST" explained here
> https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
>
> and then I followed this hint:
>
> For NSS, valid examples of cipher lists include 'rsa_rc4_128_md5',
> ´rsa_aes_128_sha´, etc. With NSS you don't add/remove ciphers. If one uses
> this option then all known ciphers are disabled and only those passed in
> are enabled.
>
> You'll find more details about the NSS cipher lists on this URL:
>
> http://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directi
> ves
>
> So if I'm using the ciphers in curl like specified there:
>
> <li>ecdhe_ecdsa_aes_128_sha_256</li>
>
> so here is no gcm and cbc mentioned.
>
> in curl I got:
> Unknown cipher in list: ecdhe_ecdsa_aes_128_sha_256
>
> with gcm or with cbc in the cipher string it is working fine:
>
> ecdhe_ecdsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_cbc_sha_256
>
> But this to nowhere specified.
>
> Is this a wrong documentation or is this inaccurate in curl or nss?

I am not sure how the "cbc" substring disappeared from the cipher string
that mod_nss uses for TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. It seems to
be a mistake.

The best way to avoid troubles like this would be to move the table mapping
cipher-suite names to the actual cipher-suites to NSS itself. There is an
upstream bug requesting exactly that:

https://bugzilla.mozilla.org/480174

Kamil

> Best regards,
>
> Oliver
> -------------------------------------------------------------------
> List admin: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-05-17