> From: owner-openssl-us...@openssl.org On Behalf Of Rajib Karmakar > Sent: Friday, 23 September, 2011 09:22
> Thanks for spending some time for my issue. But, it seems that you > have followed the same steps that I had used earlier; but I still not > been able to enable the ciphers. I may be missing something. So can you > please send me a detailed steps on how you got those ciphers enabled. > I downloaded the 1.0.0e version and tried again; but ending up > with the same result. This is what I have done, > > 1. Downloaded the 1.0.0e version from OpenSSL website. > > 2. Untar the source. > > 3. Modified the ssl/tls.h file to #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 1. > > 4. ./config > > 5. make; make install That's the same as I did except in ./config I select locations (different for each version) with --prefix= and --openssldir= . I expect it to work the same with the default locations, assuming you can write to them; on my development systems I cannot. > When I run "openssl cipher -v", I got the below output. > You can see that I got the export ciphers enabled but they are > only the 512 versions not 1024 ones. Also when I use s_client as The export 512 versions are already standard (some since v2), and aren't affected by the ENABLE_EXPERIMENTAL macro. But: your list includes v2 entries which aren't in default in 1.0.0*, but includes Camellia which is built by default ONLY in 1.0.0* and excludes ECDH (and -E and A-) which ARE in default for 1.0.0*. And excludes IDEA which is in default for both 0.9.8* and 1.0.0*, although it has been a popular one to disable because of patent. I don't think you should get that list from ANY vanilla build. I repeat my suggestion to check you are running what you built: - check the version in the install location is the one you built; - check you are running the version in the install location. On Unix 'which openssl' or for bash 'type openssl' tells you where it's finding it; or use the absolute pathname to run it. If you have a shared-lib build, also check you are getting the correct libraries; I *believe* shared-lib is never the default now, but the configure process is complicated enough I'm not certain. And/or do 'openssl version -b' (or -a) and check the build timestamp. > "openssl s_client -cipher EXP-RC4-MD5", I only get the > RSA_EXPORT_WITH_RC4_40_MD5 cipher in my Client Hello. > But I require ciphers like the RSA_EXPORT1024_WITH_RC4_56_MD5. > I believe this are similar ciphers, just a 1024 variation. As I noted, the two *MD5* suites are still #if 0'd (in s3_lib.c) even if you enable ALLOW_EXPERIMENTAL. This is probably related to the comments in tls1.h which say those two are not in the ID. I don't know and didn't look for the actual RFC status. Of course you can do anything both/all endpoints agree to even if nonstandard. But if you want those two you need to patch s3_lib.c also. <snip list> > From: owner-openssl-us...@openssl.org On Behalf Of Dave Thompson > Sent: Friday, September 23, 2011 8:17 AM <snip> > Okay, I had time to do a build of 1.0.0e with ssl/tls1.h > patched to #define TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES 1 . > It works as I expected: the 4 EXP1024 ciphers excluding the ^^^^^^^^^^^^^^ > #if 0'ed MD5 ones plus DHE-DSS-RC4-SHA appear in ciphers -v, ^^^^^^^^^^^^^^^^^ > and can be selected (and used!) by s_server and s_client. > Make sure you are building the version you patched > and using (running,linking) the version you built. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org