We have to be a little limited with out cipher selection for various reasons, and one of the ciphers we can't use is AES256-GCM-SHA384.
We can prove that that cipher is available with this command:
$ openssl s_client -cipher AES256-GCM-SHA384 -connect hostname:443
...which works fine on Centos 6.6, OpenSSL 1.0.1e-fips 11 Feb 2013. It connects and displays:
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
It doesn't work from my Mac (OpenSSL 0.9.8zd 8 Jan 2015) or from the server itself (OpenSSL 1.0.1m 19 Mar 2015 (Library: OpenSSL 1.0.0d 8 Feb 2011)), in both cases returning a message like:
38200:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher
match:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/ssl/ssl_lib.c:1223
That the connection from Centos works is confusing to me, because running this on the (Solaris) server:
$ openssl ciphers | sed "s/:/\\n/g" | grep -i gcm
...produces an empty list, as though GCM ciphers don't exist. The same command on the Centos install lists a handful of selections.
The Apache instance is using the copy of OpenSSL that I'm looking at and not some other random one.
I suspect that I'm missing a key point. Does anyone have an idea of what might be going on?
No comments:
Post a Comment