On Fri, Mar 02, 2012, Adrian Kotelba wrote: > It seems that it misleads Qualys scanner and may cause some problems > with BEAST vulnerability. With the following ciphers enabled (in order > of preference) > TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) > TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) > TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) > TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) > TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) > TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) > TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) > TLS_RSA_WITH_RC4_128_SHA (0x5) > TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) > TLS_RSA_WITH_AES_256_CBC_SHA (0x35) > TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) > TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) > TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) > TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) > TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) > the server responds with TLS_RSA_WITH_AES_256_CBC_SHA when using TLS > 1.0. I think that the server should respond with > TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) when using TLS 1.0. I guess, > the configuration of ciphers in s3_lib.c is the main reason for this > behavior. Check full discussion on > https://community.qualys.com/thread/9340. >
I can't see why the server responds with the AES cipher instead of the RC4 one with that configuration. Can you reproduce this behaviour using s_server and s_client? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org