I'm using stunnel 4.56 on Windows 7. When I use the following cipher list:
ciphers = ECDHE-ECDSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-ECDSA-AES128-SHA
to establish a connection, I get a "no shared cipher" response.
The following set of ciphers does work:
ciphers = ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA
Other relevant settings:
options = NO_SSLv2 sslVersion = all fips = no verify = 2
If I take out the first ECDHE-RSA-ASE256-SHA cipher from the list, the ECDHE-RSA-AES128-SHA cipher is selected.
What am I doing wrong?
Thanks.
2013/8/7 Carter Browne brownec@attglobal.net:
I'm using stunnel 4.56 on Windows 7. When I use the following cipher list:
ciphers = ECDHE-ECDSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-ECDSA-AES128-SHA
to establish a connection, I get a "no shared cipher" response.
The following set of ciphers does work:
ciphers = ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA
Other relevant settings:
options = NO_SSLv2 sslVersion = all fips = no verify = 2
If I take out the first ECDHE-RSA-ASE256-SHA cipher from the list, the ECDHE-RSA-AES128-SHA cipher is selected.
What am I doing wrong?
To be able to use any of the ECDSA cipher suites you obviously must have ECDSA certificate. If you have only RSA certificate you cannot use any ECDSA cipher suites. As far as I know no CA will sell you ECDSA certificate currently. Unless you run your own CA you must use RSA to achieve any compatibility.
-
Carter Browne -
Janusz Dziemidowicz