Welcome! Log In Create A New Profile

Advanced

Re: No shared cipher

Previous Message Next Message
Forum List Message List New Topic Print View
Maxim Dounin
May 10, 2018 09:10AM
Hello!

On Wed, May 09, 2018 at 02:10:04AM -0400, _gg_ wrote:

> Not sure if it's not more of an openssl/TLS 'issue'/question...
> For some time I've been observing
>
> SSL_do_handshake() failed (SSL: error:1408A0C1:SSL
> routines:ssl3_get_client_hello:no shared cipher) while SSL handshaking
>
> in error.log while having
>
> ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
> ssl_ciphers ALL:!aNULL;
>
> in configuration.
>
> Examining Client Hello packet reveals client supported ciphers:
> Cipher Suites (9 suites)
> Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca8)
> Cipher Suite: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc13)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
> Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
> Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)
> Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
> Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
> Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
>
> I'm running
> nginx version: nginx/1.12.1
> built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC)
> built with OpenSSL 1.0.2k-fips 26 Jan 2017
> TLS SNI support enabled
>
> According to 'openssl ciphers' the third cipher on the list is supported and
> yet server responds with:
> TLSv1.2 Record Layer: Alert (Level: Fatal, Description: Handshake Failure)
> Content Type: Alert (21)
> Version: TLS 1.2 (0x0303)
> Length: 2
> Alert Message
> Level: Fatal (2)
> Description: Handshake Failure (40)
>
> Either I've messed up my investigation or I'm completely misunderstanding
> something here.
> Why despite having a common cipher with a client server denies to handshake
> a connection?

Whether a cipher suite can be used or not depends on various
factors. In particular:

- list of ciphers the client supports;
- list of ciphers the server supports;
- the certificate used by the server (e.g., you won't be able to
use RSA cipher suites with an ECDSA certificate);
- when using ECDHE ciphers or ECDSA certificates - supported EC curves on both
client and server;

In this particular case the client supports only RSA ciphers, so,
for example, there will be no shared cipher if you are using ECDSA
certificate.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Reply Quote
RSS
Subject Author Posted

No shared cipher

_gg_ May 09, 2018 02:10AM

Re: No shared cipher

Maxim Dounin May 10, 2018 09:10AM

Re: No shared cipher

_gg_ May 11, 2018 02:04AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 219
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready