JSS TLS Socket Cipher Suite Configuration Issue

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

JSS TLS Socket Cipher Suite Configuration Issue

georgewash87
Hello,

Using NSS 3.19.1-18 & JSS 4.2.6-37 on RHEL7.
When using Mozilla JSS to create a client socket to a TLS server, I've
configured the socket to only use TLS_RSA_WITH_AES_256_CBC_SHA and
TLS_RSA_WITH_AES_128_CBC_SHA.
If I TCP dump the TLS Handshakes in the connection and inspect the cipher
suites presented in the TLS Client Hello, I see that my TLS client is
unconditionally asserting TLS_ECDHE_WITH_AES_256_GCM_SHA384 along with
various flavors of TLS_RSA_WITH_AES_256_X_SHA and
TLS_RSA_WITH_AES_128_X_SHA. Where is the TLS_ECDHE_WITH_AES_256_GCM_SHA384
coming from?

Has anyone seen this behavior before?

Thanks
GW
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto
Reply | Threaded
Open this post in threaded view
|

Re: JSS TLS Socket Cipher Suite Configuration Issue

Martin Thomson
Are you certain that you configured the socket?  If you can run the
debugger, you should be able to drop a breakpoint in
ssl3_SendClientHello and examine ss->cipherSuites.  If that shows more
than two entries with the enabled field equal to 1, you probably
didn't correctly configure the socket.

On Tue, Jan 17, 2017 at 2:22 PM, George Wash <[hidden email]> wrote:

> Hello,
>
> Using NSS 3.19.1-18 & JSS 4.2.6-37 on RHEL7.
> When using Mozilla JSS to create a client socket to a TLS server, I've
> configured the socket to only use TLS_RSA_WITH_AES_256_CBC_SHA and
> TLS_RSA_WITH_AES_128_CBC_SHA.
> If I TCP dump the TLS Handshakes in the connection and inspect the cipher
> suites presented in the TLS Client Hello, I see that my TLS client is
> unconditionally asserting TLS_ECDHE_WITH_AES_256_GCM_SHA384 along with
> various flavors of TLS_RSA_WITH_AES_256_X_SHA and
> TLS_RSA_WITH_AES_128_X_SHA. Where is the TLS_ECDHE_WITH_AES_256_GCM_SHA384
> coming from?
>
> Has anyone seen this behavior before?
>
> Thanks
> GW
> --
> dev-tech-crypto mailing list
> [hidden email]
> https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto