On Fri, Dec 18, 2009 at 6:33 AM, Abhishek Rahirikar <abhishek.rahiri...@gmail.com> wrote: > Hi, > > I am a new user of NSS. > > I am testing a tool that checks if any weak cipher are supported by the web > application server. The tool is based on NSS. > The tool reports some ciphers that are supported. It uses SSL_ForceHandshake > function to detect if the handshake is possible or not. SSL_ForceHandshake > function returns SECSuccess and I can get the certificate later. > When cross-checked using Openssl for the same ciphers I get following error: > > C:\OpenSSL\bin>openssl s_client -host host_name.com -port 443 -ssl3 -cipher > EXP-ADH-DES-CBC-SHA > Loading 'screen' into random state - done > CONNECTED(0000077C) > 4648:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake > failure:.\ssl\s3_pkt.c:1061:SSL alert number 40 > 4648:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake > failure:.\ssl\s3_pkt.c:530:
NSS doesn't support the EXP-ADH-DES-CBC-SHA cipher suite. The full name of that cipher suite is SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA. NSS doesn't support any of the anonymous Diffie-Hellman cipher suites. The cipher suites supported by NSS are listed in http://www.mozilla.org/projects/security/pki/nss/nss-3.11/nss-3.11-algorithms.html and in the source file sslenum.c: http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ssl/sslenum.c&mark=58-147&rev=1.16#47 Wan-Teh I -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
