Query on cipher setting on thrift sockets TSSLSocketFactory

[Hari venkata ramana <ha...@gmail.com>]

Hi

We are running a thrift server TThreadPoolServer and we have a problem when
we set the strong ciphers to TSSLSocketFactory.

When we set the following to TSSLSocketFactory::ciphers(string ciphers)

ciphers =
kEECDH:kEDH:kRSA:!kPSK:!aPSK:!aDSS:!aNULL:!NULL:!SEED:!3DES:!MD5:!RC4:!CAMELLIA:!SSLv3

we could see that openssl clients always uses one of following ciphers to
negotiate with the server:

AES128-SHA256 AES128-GCM-SHA256 AES256-SHA256

When we set the following:

cipher = ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384

and use openssl client, the handshake fails with alert and reason 40

We understand that choice of selection of cipher by the server depends on
the key exchange algorithm defined in the SSL certificates installed on the
server. Our server has certificates using RSA and so we expect that in the
second case above the server should finish the handshake with cipher
ECDHE-RSA-AES256-SHA384. However we dont see this is happening.

Questions:

1.      We are using thrift 0.14.0..Any known limitation with this version
of thrift?

2.      Does thrift support Diffie Hellman ciphers for TLS?

3.      How do we debug more on why the handshake is failing?



Any pointers here would be helpful.

We want to set strong ciphers like ECDHE-RSA-AES256-SHA384 to the SSL
interface on server and have the openssl clients connect with that cipher
and a successful handshake with our server.



Thanks

Hari