Re: Openssl 1.0.1 beta3 - Some ciphers with SHA256 set as tls1.0

Fri, 02 Mar 2012 05:06:33 -0800 

It seems that it misleads Qualys scanner and may cause some problems
with BEAST vulnerability. With the following ciphers enabled (in order
of preference)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
TLS_RSA_WITH_RC4_128_SHA (0x5)
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)
the server responds with TLS_RSA_WITH_AES_256_CBC_SHA when using TLS
1.0. I think that the server should respond with
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) when using TLS 1.0. I guess,
the configuration of ciphers in s3_lib.c is the main reason for this
behavior. Check full discussion on
https://community.qualys.com/thread/9340.

Adrian

2012/3/2 Dr. Stephen Henson <st...@openssl.org>:
> On Thu, Mar 01, 2012, Adrian Kotelba wrote:
>
>> In s3_lib.c ciphers 0x3B to 0x40 and 0x67 to 0x6D with SHA256 are set
>> as SSL_TLSV1. Should it be SSL_TLSV1_2?
>>
>
> Well I've seen implementations uses them in TLS 1.0 and 1.1 and it seemed
> harmless to keep that. Anything not supporting them wont use them.
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       openssl-dev@openssl.org
> Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to