Suresh Kumar J wrote, On 2008-09-02 10:55: > Hi Nelson, > > You are correct that Apache Tomcat web-server(v6.0.13) choked with the > full set of cipher suites implemented in the Windows FF3.0.1. When I > disable the following cipher suites via the "about:config" option, the > web communication started working and the server didn't complain anything. > security.ssl3.dhe_dss_camellia_128_sha > security.ssl3.dhe_dss_camellia_256_sha > security.ssl3.dhe_rsa_camellia_128_sha > security.ssl3.dhe_rsa_camellia_256_sha > security.ssl3.rsa_camellia_128_sha > security.ssl3.rsa_camellia_256_sha > > Thanks for pointing me to the right direction.
You're welcome. That's definitely a server bug. A server is supposed to completely IGNORE any unrecognized cipher suites, not balk at them. Likewise for any unrecognized client hello extensions. > But I still have the question on why FF3.0.1 uses SSLv2 record layer > protocol for handshake communication even when SSLv2 is disabled in the > browser settings. As I wrote before, the browser first contacts your server attempting to negotiate TLS using TLS record layer. When that fails, it records that the server is not TLS capable, and reverts to SSL 3.0 messages with the client hello (only) encapsulated in SSLv2. The reason for that is that until a few years ago, all browsers sent SSL 3.0 hellos in SSL2 format, and most of the servers that are not tolerant of TLS client hellos were written in that era. So, for maximum compatibility with servers from that era, it reverts to behavior that is as close to the past behavior as possible. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
