From:  George Wash <georgewash87@gmail.com>
Date:  17 Jan 2017 09:22:19 Hong Kong Time
Newsgroup:  news.mozilla.org/mozilla.dev.tech.crypto
Subject:  

JSS TLS Socket Cipher Suite Configuration Issue

NNTP-Posting-Host:  63.245.214.181

Hello,

Using NSS 3.19.1-18 & JSS 4.2.6-37 on RHEL7.
When using Mozilla JSS to create a client socket to a TLS server, I've
configured the socket to only use TLS_RSA_WITH_AES_256_CBC_SHA and
TLS_RSA_WITH_AES_128_CBC_SHA.
If I TCP dump the TLS Handshakes in the connection and inspect the cipher
suites presented in the TLS Client Hello, I see that my TLS client is
unconditionally asserting TLS_ECDHE_WITH_AES_256_GCM_SHA384 along with
various flavors of TLS_RSA_WITH_AES_256_X_SHA and
TLS_RSA_WITH_AES_128_X_SHA. Where is the TLS_ECDHE_WITH_AES_256_GCM_SHA384
coming from?

Has anyone seen this behavior before?

Thanks
GW