On Fri, Nov 14, 2014 at 10:04:16AM +0100, Renaud Allard wrote:
> Hello,
>
> On 11/14/2014 09:04 AM, Renaud Allard wrote:
> >Hello,
> >
> >I am trying this on 5.6-stable.
> >Is there a way to list all POLY1305/CHACHA20 based ciphers which are
> >enabled?
> >
> >For example, if I try with RSA:
> ># openssl ciphers RSA
> >AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:IDEA-CBC-SHA:RC4-SHA:RC4-MD5:DES-CBC3-SHA:DES-CBC-SHA:NULL-SHA256:NULL-SHA:NULL-MD5
> >
> >
> >But with the others:
> ># openssl ciphers POLY1305
> >Error in cipher list1082963419196:error:1410D0B9:SSL
> >routines:SSL_CTX_set_cipher_list:no cipher
> >match:/usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_lib.c:1312:
> ># openssl ciphers CHACHA20
> >Error in cipher list
> >32850802282556:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> >cipher match:/usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_lib.c:1312:
> >
> >However, trying something like this works:
> ># openssl ciphers ECDHE-ECDSA-CHACHA20-POLY1305
> >ECDHE-ECDSA-CHACHA20-POLY1305
> >
> >The idea is to be able to enable them in configuration files of services
> >without having to list them all by hand (which might change).
> >
> >Thanks
> >
> >
>
> Replying to my own mail...
>
> Here is a patch:
> --- lib/libssl/src/ssl/ssl_ciph.c.old Fri Nov 14 09:30:56 2014
> +++ lib/libssl/src/ssl/ssl_ciph.c Fri Nov 14 09:49:47 2014
> @@ -433,6 +433,10 @@
> .name = SSL_TXT_CAMELLIA,
> .algorithm_enc = SSL_CAMELLIA128|SSL_CAMELLIA256,
> },
> + {
> + .name = SSL_TXT_CHACHA20,
> + .algorithm_enc = SSL_CHACHA20POLY1305,
> + },
>
> /* MAC aliases */
> {
>
>
> Now openssl ciphers CHACHA20 works as intended
> # openssl ciphers CHACHA20
> ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305
This is already present in rev 1.68/-current
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/ssl/ssl_ciph.c.diff?r2=1.68&r1=1.67&f=u
