cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [Mod_nss-list] NSS cipher list in CURLOPT_SSL_CIPHER_LIST

From: Rob Crittenden <rcritten_at_redhat.com>
Date: Tue, 17 May 2016 10:10:43 -0400

Kamil Dudka wrote:
> On Tuesday, May 17, 2016 14:45:50 Oliver Graute wrote:
>> Hello,
>>
>> I found a miss match in the documentation of ciphers for curl and
>> modnss. I'm not sure who is wrong here or if its simple lack in
>> documentation of ciphersuites. So I cross post it.
>>
>> I followed the curl doc "CURLOPT_SSL_CIPHER_LIST" explained here
>> https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
>>
>> and then I followed this hint:
>>
>> For NSS, valid examples of cipher lists include 'rsa_rc4_128_md5',
>> ´rsa_aes_128_sha´, etc. With NSS you don't add/remove ciphers. If one uses
>> this option then all known ciphers are disabled and only those passed in
>> are enabled.
>>
>> You'll find more details about the NSS cipher lists on this URL:
>>
>> http://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directi
>> ves
>>
>> So if I'm using the ciphers in curl like specified there:
>>
>> <li>ecdhe_ecdsa_aes_128_sha_256</li>
>>
>> so here is no gcm and cbc mentioned.
>>
>> in curl I got:
>> Unknown cipher in list: ecdhe_ecdsa_aes_128_sha_256
>>
>> with gcm or with cbc in the cipher string it is working fine:
>>
>> ecdhe_ecdsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_cbc_sha_256
>>
>> But this to nowhere specified.
>>
>> Is this a wrong documentation or is this inaccurate in curl or nss?
>
> I am not sure how the "cbc" substring disappeared from the cipher string
> that mod_nss uses for TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. It seems to
> be a mistake.

It didn't disappear, it was never there. I guess I didn't maintain the
traditional cipher naming pattern when adding it.

> The best way to avoid troubles like this would be to move the table mapping
> cipher-suite names to the actual cipher-suites to NSS itself. There is an
> upstream bug requesting exactly that:
>
> https://bugzilla.mozilla.org/480174

Right, the bottom line is that there is no universal naming in NSS so
the naming may be slightly different between different implementations.
curl is so close to mod_nss because I used the mod_nss list at the time
to bootstrap the curl list when I added NSS support.

rob
-------------------------------------------------------------------
List admin: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2016-05-17

This message: [ Message body ]
Next message: Kman Devnull: "Re: how to capture http response number?"
Previous message: Kamil Dudka: "Re: NSS cipher list in CURLOPT_SSL_CIPHER_LIST"
In reply to: Kamil Dudka: "Re: NSS cipher list in CURLOPT_SSL_CIPHER_LIST"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]