From oliver.graute at gmail.com Tue May 17 12:45:50 2016
From: oliver.graute at gmail.com (Oliver Graute)
Date: Tue, 17 May 2016 14:45:50 +0200
Subject: [Mod_nss-list] NSS cipher list in CURLOPT_SSL_CIPHER_LIST
Message-ID: <20160517124550.GA27566@graute-opti>
Hello,
I found a miss match in the documentation of ciphers for curl and
modnss. I'm not sure who is wrong here or if its simple lack in
documentation of ciphersuites. So I cross post it.
I followed the curl doc "CURLOPT_SSL_CIPHER_LIST" explained here
https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
and then I followed this hint:
For NSS, valid examples of cipher lists include 'rsa_rc4_128_md5', ?rsa_aes_128_sha?, etc.
With NSS you don't add/remove ciphers. If one uses this option then all known ciphers are
disabled and only those passed in are enabled.
You'll find more details about the NSS cipher lists on this URL:
http://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directives
So if I'm using the ciphers in curl like specified there:
ecdhe_ecdsa_aes_128_sha_256
so here is no gcm and cbc mentioned.
in curl I got:
Unknown cipher in list: ecdhe_ecdsa_aes_128_sha_256
with gcm or with cbc in the cipher string it is working fine:
ecdhe_ecdsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_cbc_sha_256
But this to nowhere specified.
Is this a wrong documentation or is this inaccurate in curl or nss?
Best regards,
Oliver
From kdudka at redhat.com Tue May 17 13:15:52 2016
From: kdudka at redhat.com (Kamil Dudka)
Date: Tue, 17 May 2016 15:15:52 +0200
Subject: [Mod_nss-list] NSS cipher list in CURLOPT_SSL_CIPHER_LIST
In-Reply-To: <20160517124550.GA27566@graute-opti>
References: <20160517124550.GA27566@graute-opti>
Message-ID: <4849797.YeA1TY3S8s@kdudka-nb>
On Tuesday, May 17, 2016 14:45:50 Oliver Graute wrote:
> Hello,
>
> I found a miss match in the documentation of ciphers for curl and
> modnss. I'm not sure who is wrong here or if its simple lack in
> documentation of ciphersuites. So I cross post it.
>
> I followed the curl doc "CURLOPT_SSL_CIPHER_LIST" explained here
> https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
>
> and then I followed this hint:
>
> For NSS, valid examples of cipher lists include 'rsa_rc4_128_md5',
> ?rsa_aes_128_sha?, etc. With NSS you don't add/remove ciphers. If one uses
> this option then all known ciphers are disabled and only those passed in
> are enabled.
>
> You'll find more details about the NSS cipher lists on this URL:
>
> http://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directi
> ves
>
> So if I'm using the ciphers in curl like specified there:
>
> ecdhe_ecdsa_aes_128_sha_256
>
> so here is no gcm and cbc mentioned.
>
> in curl I got:
> Unknown cipher in list: ecdhe_ecdsa_aes_128_sha_256
>
> with gcm or with cbc in the cipher string it is working fine:
>
> ecdhe_ecdsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_cbc_sha_256
>
> But this to nowhere specified.
>
> Is this a wrong documentation or is this inaccurate in curl or nss?
I am not sure how the "cbc" substring disappeared from the cipher string
that mod_nss uses for TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. It seems to
be a mistake.
The best way to avoid troubles like this would be to move the table mapping
cipher-suite names to the actual cipher-suites to NSS itself. There is an
upstream bug requesting exactly that:
https://bugzilla.mozilla.org/480174
Kamil
> Best regards,
>
> Oliver
> -------------------------------------------------------------------
> List admin: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette: https://curl.haxx.se/mail/etiquette.html
From rcritten at redhat.com Tue May 17 14:10:43 2016
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 17 May 2016 10:10:43 -0400
Subject: [Mod_nss-list] NSS cipher list in CURLOPT_SSL_CIPHER_LIST
In-Reply-To: <4849797.YeA1TY3S8s@kdudka-nb>
References: <20160517124550.GA27566@graute-opti> <4849797.YeA1TY3S8s@kdudka-nb>
Message-ID: <573B2663.3000903@redhat.com>
Kamil Dudka wrote:
> On Tuesday, May 17, 2016 14:45:50 Oliver Graute wrote:
>> Hello,
>>
>> I found a miss match in the documentation of ciphers for curl and
>> modnss. I'm not sure who is wrong here or if its simple lack in
>> documentation of ciphersuites. So I cross post it.
>>
>> I followed the curl doc "CURLOPT_SSL_CIPHER_LIST" explained here
>> https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
>>
>> and then I followed this hint:
>>
>> For NSS, valid examples of cipher lists include 'rsa_rc4_128_md5',
>> ?rsa_aes_128_sha?, etc. With NSS you don't add/remove ciphers. If one uses
>> this option then all known ciphers are disabled and only those passed in
>> are enabled.
>>
>> You'll find more details about the NSS cipher lists on this URL:
>>
>> http://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directi
>> ves
>>
>> So if I'm using the ciphers in curl like specified there:
>>
>> ecdhe_ecdsa_aes_128_sha_256
>>
>> so here is no gcm and cbc mentioned.
>>
>> in curl I got:
>> Unknown cipher in list: ecdhe_ecdsa_aes_128_sha_256
>>
>> with gcm or with cbc in the cipher string it is working fine:
>>
>> ecdhe_ecdsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_cbc_sha_256
>>
>> But this to nowhere specified.
>>
>> Is this a wrong documentation or is this inaccurate in curl or nss?
>
> I am not sure how the "cbc" substring disappeared from the cipher string
> that mod_nss uses for TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256. It seems to
> be a mistake.
It didn't disappear, it was never there. I guess I didn't maintain the
traditional cipher naming pattern when adding it.
> The best way to avoid troubles like this would be to move the table mapping
> cipher-suite names to the actual cipher-suites to NSS itself. There is an
> upstream bug requesting exactly that:
>
> https://bugzilla.mozilla.org/480174
Right, the bottom line is that there is no universal naming in NSS so
the naming may be slightly different between different implementations.
curl is so close to mod_nss because I used the mod_nss list at the time
to bootstrap the curl list when I added NSS support.
rob