> From: owner-openssl-us...@openssl.org On Behalf Of Rajib Karmakar
> Sent: Friday, 23 September, 2011 09:22
> Thanks for spending some time for my issue. But, it seems that you
> have followed the same steps that I had used earlier; but I still not
> been able to enable the ciphers. I may be missing something. So can you
> please send me a detailed steps on how you got those ciphers enabled.
> I downloaded the 1.0.0e version and tried again; but ending up
> with the same result. This is what I have done,
>
> 1. Downloaded the 1.0.0e version from OpenSSL website.
>
> 2. Untar the source.
>
> 3. Modified the ssl/tls.h file to #define
TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 1.
>
> 4. ./config
>
> 5. make; make install
That's the same as I did except in ./config I select locations
(different for each version) with --prefix= and --openssldir= .
I expect it to work the same with the default locations, assuming
you can write to them; on my development systems I cannot.
> When I run "openssl cipher -v", I got the below output.
> You can see that I got the export ciphers enabled but they are
> only the 512 versions not 1024 ones. Also when I use s_client as
The export 512 versions are already standard (some since v2),
and aren't affected by the ENABLE_EXPERIMENTAL macro. But:
your list includes v2 entries which aren't in default in 1.0.0*,
but includes Camellia which is built by default ONLY in 1.0.0*
and excludes ECDH (and -E and A-) which ARE in default for 1.0.0*.
And excludes IDEA which is in default for both 0.9.8* and 1.0.0*,
although it has been a popular one to disable because of patent.
I don't think you should get that list from ANY vanilla build.
I repeat my suggestion to check you are running what you built:
- check the version in the install location is the one you built;
- check you are running the version in the install location.
On Unix 'which openssl' or for bash 'type openssl' tells you where
it's finding it; or use the absolute pathname to run it. If you have
a shared-lib build, also check you are getting the correct libraries;
I *believe* shared-lib is never the default now, but the configure
process is complicated enough I'm not certain. And/or do
'openssl version -b' (or -a) and check the build timestamp.
> "openssl s_client -cipher EXP-RC4-MD5", I only get the
> RSA_EXPORT_WITH_RC4_40_MD5 cipher in my Client Hello.
> But I require ciphers like the RSA_EXPORT1024_WITH_RC4_56_MD5.
> I believe this are similar ciphers, just a 1024 variation.
As I noted, the two *MD5* suites are still #if 0'd (in s3_lib.c)
even if you enable ALLOW_EXPERIMENTAL. This is probably related
to the comments in tls1.h which say those two are not in the ID.
I don't know and didn't look for the actual RFC status. Of course
you can do anything both/all endpoints agree to even if nonstandard.
But if you want those two you need to patch s3_lib.c also.
<snip list>
> From: owner-openssl-us...@openssl.org On Behalf Of Dave Thompson
> Sent: Friday, September 23, 2011 8:17 AM
<snip>
> Okay, I had time to do a build of 1.0.0e with ssl/tls1.h
> patched to #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 1 .
> It works as I expected: the 4 EXP1024 ciphers excluding the
^^^^^^^^^^^^^^
> #if 0'ed MD5 ones plus DHE-DSS-RC4-SHA appear in ciphers -v,
^^^^^^^^^^^^^^^^^
> and can be selected (and used!) by s_server and s_client.
> Make sure you are building the version you patched
> and using (running,linking) the version you built.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
