Well, it seems that I am not able to reproduce this behavior using s_client. Apparently, the server picks up the correct cipher RC4. Part of connection log below: --- No client certificate CA names sent --- SSL handshake has read 4538 bytes and written 363 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : ECDHE-RSA-RC4-SHA
It could be the problem of Qualys scanner or yet something else. Adrian 2012/3/2 Dr. Stephen Henson <st...@openssl.org>: > On Fri, Mar 02, 2012, Adrian Kotelba wrote: > >> It seems that it misleads Qualys scanner and may cause some problems >> with BEAST vulnerability. With the following ciphers enabled (in order >> of preference) >> TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) >> TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) >> TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) >> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) >> TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) >> TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) >> TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) >> TLS_RSA_WITH_RC4_128_SHA (0x5) >> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) >> TLS_RSA_WITH_AES_256_CBC_SHA (0x35) >> TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) >> TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) >> TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) >> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) >> TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) >> TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) >> the server responds with TLS_RSA_WITH_AES_256_CBC_SHA when using TLS >> 1.0. I think that the server should respond with >> TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) when using TLS 1.0. I guess, >> the configuration of ciphers in s3_lib.c is the main reason for this >> behavior. Check full discussion on >> https://community.qualys.com/thread/9340. >> > > I can't see why the server responds with the AES cipher instead of the RC4 one > with that configuration. Can you reproduce this behaviour using s_server and > s_client? > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > Development Mailing List openssl-dev@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org