As requested here are two captures attached: one successfully handshakes with the server (chrome) and one fails the handshake (firefox).
I would be very grateful if anyone could shed some light on this.
the openssl version which is linked to my server/relay program is 1.0.2s
Thanks
/Patrick
/Patrick
On Mon, 2019-06-10 at 13:41 -0400, Viktor Dukhovni wrote:
>
> > All is well and good when the program works on the linux PC and the
> > handshake is succesful using the 0xc02f cipher. and that is linked to
> > version 3.0.0 of openssl. on the embedded version, (linked with version
> > 1.0.2s) firefox fails the handshake with ssl_no_shared_cipher whereas
> > chrome and safari do successfully handshake chrome client hello contains
> > 12 ciphers and the server hello seems to choose 0xc02f cipher firefox
> > client hello contains only 10 ciphers (including the above mentioned 0xc02f
> > cipher) and fails. any suggestion as to what could causes that failure
> > would be appreciated.
>
> In addition to the cipher algorithm, the two parties must also agree
> on the signature algorithms, supported EC groups, ...
>
> You've not provided much detail about the configuration of the
> embedded (1.0.2s) server. The cipher that works with the other
> browsers is:
>
> 0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
>
> this requires a shared ECDHE curve, are you using "auto", or an
> explicit curve? What are the signature algorithms on your certificate
> chain?
>
> It would also be useful to post PCAP files of a working handshake
> with Chrome, and a failing handshake with Firefox.
Attachment:
chrome_success.pcap
Description: application/vnd.tcpdump.pcap
Attachment:
firefox_fail.pcap
Description: application/vnd.tcpdump.pcap
