Re: Openssl 1.0.1 beta3 - Some ciphers with SHA256 set as tls1.0

Fri, 02 Mar 2012 14:06:40 -0800 

Well, it seems that I am not able to reproduce this behavior using
s_client. Apparently, the server picks up the correct cipher RC4. Part
of connection log below:
---
No client certificate CA names sent
---
SSL handshake has read 4538 bytes and written 363 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-RC4-SHA

It could be the problem of Qualys scanner or yet something else.

Adrian

2012/3/2 Dr. Stephen Henson <st...@openssl.org>:
> On Fri, Mar 02, 2012, Adrian Kotelba wrote:
>
>> It seems that it misleads Qualys scanner and may cause some problems
>> with BEAST vulnerability. With the following ciphers enabled (in order
>> of preference)
>> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
>> TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)
>> TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)
>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
>> TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)
>> TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)
>> TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011)
>> TLS_RSA_WITH_RC4_128_SHA (0x5)
>> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)
>> TLS_RSA_WITH_AES_256_CBC_SHA (0x35)
>> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84)
>> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)
>> TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)
>> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)
>> TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)
>> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41)
>> the server responds with TLS_RSA_WITH_AES_256_CBC_SHA when using TLS
>> 1.0. I think that the server should respond with
>> TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) when using TLS 1.0. I guess,
>> the configuration of ciphers in s3_lib.c is the main reason for this
>> behavior. Check full discussion on
>> https://community.qualys.com/thread/9340.
>>
>
> I can't see why the server responds with the AES cipher instead of the RC4 one
> with that configuration. Can you reproduce this behaviour using s_server and
> s_client?
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> Development Mailing List                       openssl-dev@openssl.org
> Automated List Manager                           majord...@openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to