[Mod_nss-list] NSS cipher list in CURLOPT_SSL_CIPHER_LIST

Tue May 17 13:15:52 UTC 2016

On Tuesday, May 17, 2016 14:45:50 Oliver Graute wrote:
> Hello,
> 
> I found a miss match in the documentation of ciphers for curl and
> modnss.  I'm not sure who is wrong here or if its simple lack in
> documentation of ciphersuites. So I cross post it.
> 
> I followed the curl doc "CURLOPT_SSL_CIPHER_LIST" explained here
> https://curl.haxx.se/libcurl/c/CURLOPT_SSL_CIPHER_LIST.html
> 
> and then I followed this hint:
> 
> For NSS, valid examples of cipher lists include 'rsa_rc4_128_md5',
> ´rsa_aes_128_sha´, etc. With NSS you don't add/remove ciphers. If one uses
> this option then all known ciphers are disabled and only those passed in
> are enabled.
> 
> You'll find more details about the NSS cipher lists on this URL:
> 
> http://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directi
> ves
> 
> So if I'm using the ciphers in curl like specified there:
> 
> <li>ecdhe_ecdsa_aes_128_sha_256</li>
> 
> so here is no gcm and cbc mentioned.
> 
> in curl I got:
> Unknown cipher in list: ecdhe_ecdsa_aes_128_sha_256
> 
> with gcm or with cbc in the cipher string it is working fine:
> 
> ecdhe_ecdsa_aes_128_gcm_sha_256,ecdhe_ecdsa_aes_128_cbc_sha_256
> 
> But this to nowhere specified.
> 
> Is this a wrong documentation or is this inaccurate in curl or nss?

I am not sure how the "cbc" substring disappeared from the cipher string
that mod_nss uses for TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256.  It seems to
be a mistake.

The best way to avoid troubles like this would be to move the table mapping 
cipher-suite names to the actual cipher-suites to NSS itself.  There is an 
upstream bug requesting exactly that:

https://bugzilla.mozilla.org/480174

Kamil

> Best regards,
> 
> Oliver
> -------------------------------------------------------------------
> List admin: https://cool.haxx.se/list/listinfo/curl-library
> Etiquette:  https://curl.haxx.se/mail/etiquette.html