cURL / Mailing Lists / curl-library / Single Mail



From: Kamil Dudka <>
Date: Tue, 17 May 2016 15:15:52 +0200

On Tuesday, May 17, 2016 14:45:50 Oliver Graute wrote:
> Hello,
> I found a miss match in the documentation of ciphers for curl and
> modnss. I'm not sure who is wrong here or if its simple lack in
> documentation of ciphersuites. So I cross post it.
> I followed the curl doc "CURLOPT_SSL_CIPHER_LIST" explained here
> and then I followed this hint:
> For NSS, valid examples of cipher lists include 'rsa_rc4_128_md5',
> ´rsa_aes_128_sha´, etc. With NSS you don't add/remove ciphers. If one uses
> this option then all known ciphers are disabled and only those passed in
> are enabled.
> You'll find more details about the NSS cipher lists on this URL:
> ves
> So if I'm using the ciphers in curl like specified there:
> <li>ecdhe_ecdsa_aes_128_sha_256</li>
> so here is no gcm and cbc mentioned.
> in curl I got:
> Unknown cipher in list: ecdhe_ecdsa_aes_128_sha_256
> with gcm or with cbc in the cipher string it is working fine:
> ecdhe_ecdsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_cbc_sha_256
> But this to nowhere specified.
> Is this a wrong documentation or is this inaccurate in curl or nss?

I am not sure how the "cbc" substring disappeared from the cipher string
that mod_nss uses for TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. It seems to
be a mistake.

The best way to avoid troubles like this would be to move the table mapping
cipher-suite names to the actual cipher-suites to NSS itself. There is an
upstream bug requesting exactly that:


> Best regards,
> Oliver
> -------------------------------------------------------------------
> List admin:
> Etiquette:

List admin:
Received on 2016-05-17