Re: [Mod_nss-list] NSS cipher list in CURLOPT_SSL_CIPHER_LIST
Date: Tue, 17 May 2016 10:10:43 -0400
Kamil Dudka wrote:
> On Tuesday, May 17, 2016 14:45:50 Oliver Graute wrote:
>> I found a miss match in the documentation of ciphers for curl and
>> modnss. I'm not sure who is wrong here or if its simple lack in
>> documentation of ciphersuites. So I cross post it.
>> I followed the curl doc "CURLOPT_SSL_CIPHER_LIST" explained here
>> and then I followed this hint:
>> For NSS, valid examples of cipher lists include 'rsa_rc4_128_md5',
>> ´rsa_aes_128_sha´, etc. With NSS you don't add/remove ciphers. If one uses
>> this option then all known ciphers are disabled and only those passed in
>> are enabled.
>> You'll find more details about the NSS cipher lists on this URL:
>> So if I'm using the ciphers in curl like specified there:
>> so here is no gcm and cbc mentioned.
>> in curl I got:
>> Unknown cipher in list: ecdhe_ecdsa_aes_128_sha_256
>> with gcm or with cbc in the cipher string it is working fine:
>> But this to nowhere specified.
>> Is this a wrong documentation or is this inaccurate in curl or nss?
> I am not sure how the "cbc" substring disappeared from the cipher string
> that mod_nss uses for TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. It seems to
> be a mistake.
It didn't disappear, it was never there. I guess I didn't maintain the
traditional cipher naming pattern when adding it.
> The best way to avoid troubles like this would be to move the table mapping
> cipher-suite names to the actual cipher-suites to NSS itself. There is an
> upstream bug requesting exactly that:
Right, the bottom line is that there is no universal naming in NSS so
the naming may be slightly different between different implementations.
curl is so close to mod_nss because I used the mod_nss list at the time
to bootstrap the curl list when I added NSS support.
List admin: https://cool.haxx.se/list/listinfo/curl-library
Received on 2016-05-17