Hi, Thank you for the quick reply. Please see my comments below.
"Wan-Teh Chang" <w...@google.com> wrote in message news:mailman.544.1261148552.4112.dev-tech-cry...@lists.mozilla.org... > On Fri, Dec 18, 2009 at 6:33 AM, Abhishek Rahirikar > <abhishek.rahiri...@gmail.com> wrote: >> Hi, >> >> I am a new user of NSS. >> >> I am testing a tool that checks if any weak cipher are supported by the >> web >> application server. The tool is based on NSS. >> The tool reports some ciphers that are supported. It uses >> SSL_ForceHandshake >> function to detect if the handshake is possible or not. >> SSL_ForceHandshake >> function returns SECSuccess and I can get the certificate later. >> When cross-checked using Openssl for the same ciphers I get following >> error: >> >> C:\OpenSSL\bin>openssl s_client -host host_name.com -port >> 443 -ssl3 -cipher >> EXP-ADH-DES-CBC-SHA >> Loading 'screen' into random state - done >> CONNECTED(0000077C) >> 4648:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake >> failure:.\ssl\s3_pkt.c:1061:SSL alert number 40 >> 4648:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake >> failure:.\ssl\s3_pkt.c:530: > > NSS doesn't support the EXP-ADH-DES-CBC-SHA cipher suite. > The full name of that cipher suite is > SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA. Yes.. the tool is using the same name "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA". > NSS doesn't support any of the anonymous Diffie-Hellman > cipher suites. The cipher suites supported by NSS are > listed in > http://www.mozilla.org/projects/security/pki/nss/nss-3.11/nss-3.11-algorithms.html > and in the source file sslenum.c: > http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ssl/sslenum.c&mark=58-147&rev=1.16#47 > > Wan-Teh Ok.. But the tool is able to get all the information using the cipher. It is able to get the certificate and check the expiry, host of certificate etc. Do you know what the NSS do if the cipher requested for handshake is not supported? Is it expected to get the certificate if cipher is not supported? Thank you. Regards, Abhishek -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
