RE: openssl 1.0.1i ignores ciphers in cipherlist
If Frank doesn't want SSLv2 then he needs to disable it in the SSL_CTX first, no? The mechanism to say what ciphers you want is orthogonal to the mechanism to say what protcols you want. That's unfortunate and a source of confusion, but is unlikely to change any time soon. -- Principal Security Engineer Akamai Technologies, Cambridge MA IM: rs...@jabber.me Twitter: RichSalz :��I"Ϯ��r�m (Z+�7�zZ)���1���x ��hW^��^��%�����&jם.+-1�ځ��j:+v���h�
Re: openssl 1.0.1i ignores ciphers in cipherlist
On 08/29/2014 08:16 AM, Tomas Mraz wrote: > On Pá, 2014-08-29 at 16:19 +0200, Frank Meier wrote: >> While testing different ciphersuites I found a quite drastic change in >> the behavior between openssl version 1.0.1h to 1.0.1i. While using a >> cipherlist like "ECDHE-RSA-AES128-SHA256:RC4" with 1.0.1h the >> "ECDHE-RSA-AES128-SHA256" cipher is used. With 1.0.1i uses "RC4-SHA". > This happens because you use specification of cipherlist that does not > make sense - that is with the RC4 you add also SSLv2 ciphers to the > cipher list and simultaneously you add only EC based cipher in addition. > With SSLv2 client hello the supported curves extension cannot be sent > and thus the EC based ciphers must not be sent as well. If there was for > example DHE-RSA-AES128-GCM-SHA256 in the cipher list, it would be > correctly sent in the hello and chosen for the connection. I can't see > anyone using such specification in real world. > > Basically what you specify is what you get. the CipherSuite list that Frank posted clearly indicated his preference for ECDHE-RSA-AES128-SHA256 ahead of RC4. By "respecting" the inclusion of RC4's SSLv2 ciphersuites and sending a v2 handshake, OpenSSL is effectively disabling a higher-priority selection. I acknowledge that the tradeoff is a tricky one -- if OpenSSL makes the opposite choice, it will break interop with SSLv2 servers that choke on the handshake. But SSLv2 is known-broken, arguably even worse than RC4. At any rate, I'm not sure this scenario counts as "what you specify is what you get", since the OP specified that they preferred ECDHE-RSA-AES128-SHA256 to RC4 and they didn't get it. I'd rather that OpenSSL respected the user's stated preference here than enable interop with SSLv2 servers. --dkg signature.asc Description: OpenPGP digital signature
Re: openssl 1.0.1i ignores ciphers in cipherlist
On 29/08/14 17:12, Viktor Dukhovni wrote: I retestet with "-no_ssl2" option and then the ECDHE ciphers are used again. Applications should these days employ "SSL_OP_NO_SSLv2", I agree, but then openssl should set this option by default also. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: openssl 1.0.1i ignores ciphers in cipherlist
On Pá, 2014-08-29 at 16:19 +0200, Frank Meier wrote: > While testing different ciphersuites I found a quite drastic change in > the behavior between openssl version 1.0.1h to 1.0.1i. While using a > cipherlist like "ECDHE-RSA-AES128-SHA256:RC4" with 1.0.1h the > "ECDHE-RSA-AES128-SHA256" cipher is used. With 1.0.1i uses "RC4-SHA". > > example: > $ openssl s_server -cert server.pem > > $ openssl s_client -cipher "ECDHE-RSA-AES128-SHA256:RC4" -connect > localhost:4443 > > New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA256 > Server public key is 1024 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1.2 > Cipher: ECDHE-RSA-AES128-SHA256 > > I guess following patch is responsible for the change in behavior: > http://rt.openssl.org/Ticket/Display.html?id=3374. There it says the > SSLv2 client-hello does not include enough information to establish a > connection with ECDHE, so this ciphers are not included in the > cipherlist. But the test with 1.0.1i shows that it works at least > against my openssl s_server. > > I think this behavior could force established applications to use > "lower-strength" ciphers with openssl 1.0.1i than before with 1.0.1h. > Without anyone noticing. This happens because you use specification of cipherlist that does not make sense - that is with the RC4 you add also SSLv2 ciphers to the cipher list and simultaneously you add only EC based cipher in addition. With SSLv2 client hello the supported curves extension cannot be sent and thus the EC based ciphers must not be sent as well. If there was for example DHE-RSA-AES128-GCM-SHA256 in the cipher list, it would be correctly sent in the hello and chosen for the connection. I can't see anyone using such specification in real world. Basically what you specify is what you get. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
Re: openssl 1.0.1i ignores ciphers in cipherlist
On Fri, Aug 29, 2014 at 04:19:43PM +0200, Frank Meier wrote: > While testing different ciphersuites I found a quite drastic change in the > behavior between openssl version 1.0.1h to 1.0.1i. While using a cipherlist > like "ECDHE-RSA-AES128-SHA256:RC4" with 1.0.1h the "ECDHE-RSA-AES128-SHA256" > cipher is used. With 1.0.1i uses "RC4-SHA". > > example: > $ openssl s_server -cert server.pem > > $ openssl s_client -cipher "ECDHE-RSA-AES128-SHA256:RC4" -connect Run the 1.0.1i client with "-msg" and report the version of the client Hello and resulting cipher. Then add "-no_ssl2" and report again. Applications should these days employ "SSL_OP_NO_SSLv2", rather than rely on "!SSLv2" in the DEFAULT cipherlist. Not employing EC ciphersuites with SSLv2 HELLO is correct, since the client's list of supported curves is unknown. -- Viktor. __ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
