cURL / Mailing Lists / curl-library / Single Mail


Re: [Mod_nss-list] NSS cipher list in CURLOPT_SSL_CIPHER_LIST

From: Rob Crittenden <>
Date: Tue, 17 May 2016 10:10:43 -0400

Kamil Dudka wrote:
> On Tuesday, May 17, 2016 14:45:50 Oliver Graute wrote:
>> Hello,
>> I found a miss match in the documentation of ciphers for curl and
>> modnss. I'm not sure who is wrong here or if its simple lack in
>> documentation of ciphersuites. So I cross post it.
>> I followed the curl doc "CURLOPT_SSL_CIPHER_LIST" explained here
>> and then I followed this hint:
>> For NSS, valid examples of cipher lists include 'rsa_rc4_128_md5',
>> ´rsa_aes_128_sha´, etc. With NSS you don't add/remove ciphers. If one uses
>> this option then all known ciphers are disabled and only those passed in
>> are enabled.
>> You'll find more details about the NSS cipher lists on this URL:
>> ves
>> So if I'm using the ciphers in curl like specified there:
>> <li>ecdhe_ecdsa_aes_128_sha_256</li>
>> so here is no gcm and cbc mentioned.
>> in curl I got:
>> Unknown cipher in list: ecdhe_ecdsa_aes_128_sha_256
>> with gcm or with cbc in the cipher string it is working fine:
>> ecdhe_ecdsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_cbc_sha_256
>> But this to nowhere specified.
>> Is this a wrong documentation or is this inaccurate in curl or nss?
> I am not sure how the "cbc" substring disappeared from the cipher string
> that mod_nss uses for TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. It seems to
> be a mistake.

It didn't disappear, it was never there. I guess I didn't maintain the
traditional cipher naming pattern when adding it.

> The best way to avoid troubles like this would be to move the table mapping
> cipher-suite names to the actual cipher-suites to NSS itself. There is an
> upstream bug requesting exactly that:

Right, the bottom line is that there is no universal naming in NSS so
the naming may be slightly different between different implementations.
curl is so close to mod_nss because I used the mod_nss list at the time
to bootstrap the curl list when I added NSS support.

List admin:
Received on 2016-05-17