On Wed, Jun 19, 2013 at 01:30:51AM -0400, Dave Thompson wrote: > > > > With google I get: > > Protocol : TLSv1.2 > > Cipher : DES-CBC3-SHA > > > > (Or by default) > > Protocol : TLSv1.2 > > Cipher : ECDHE-RSA-AES128-GCM-SHA256 > > > > Both of course work as expected. > > > And is able to send and receive data? I forgot to ask that. > For an https server send "GET / HTTP/1.0\r\n\r\n" (I feed > from a file or echo| since it's hard to type that in) and > look for HTTP headers (followed by something HTMLish). > If so, your openssl is doing DES-CBC3 right; see below.
Yes, that works as expected. > I didn't mean engines, I meant build from source, to be sure > you're running as-distributed code for the affected cipher. > But if you can communicate with e.g. google that's enough. So I tried with: gnutls-cli --priority 'NORMAL:%COMPAT:-ARCFOUR-128' --crlf -s smtp.live.com -p 25 And end up with: - Version: TLS1.0 - Key Exchange: RSA - Cipher: 3DES-CBC - MAC: SHA1 [...] 214-This server supports the following commands: 214 HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ETRN BDAT VRFY *** Fatal error: A record packet with illegal version was received. *** Server has terminated the connection abnormally. So I'm going to say that Microsoft's implementation of DES-CBC(3) is broken. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
